Bulletin ID: MS10-106 |
Title: Vulnerability in Microsoft Exchange Server Could Allow Denial of Service (2407132) |
Update Type: Security Update |
Severity: Moderate |
Date: 2010-12-14 |
Description: This security update resolves a privately reported vulnerability in Microsoft Exchange Server. The vulnerability could allow denial of service if an authenticated attacker sent a specially crafted network message to a computer running the Exchange service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. | ||||
Vulnerabilities: CVE-2010-3937 |
Included Updates: 2407132 |
Applies to: Exchange Server 2007 |
Bulletin ID: MS10-105 |
Title: Vulnerabilities in Microsoft Office Graphics Filters Could Allow for Remote Code Execution (968095) |
Update Type: Security Update |
Severity: Important |
Date: 2010-12-14 |
Description: This security update resolves seven privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using Microsoft Office. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-3945 CVE-2010-3946 CVE-2010-3947 CVE-2010-3949 CVE-2010-3950 CVE-2010-3951 CVE-2010-3952 |
Included Updates: 2288931 2289078 2289162 2289163 2431831 2456849 968095 |
Applies to: Microsoft Works 9 Office 2002/XP Office 2003 Office 2007 Office 2010 |
Bulletin ID: MS10-104 |
Title: Vulnerability in Microsoft SharePoint Could Allow Remote Code Execution (2455005) |
Update Type: Security Update |
Severity: Important |
Date: 2010-12-14 |
Description: This security update resolves a privately reported vulnerability in Microsoft SharePoint. The vulnerability could allow remote code execution in the security context of a guest user if an attacker sent a specially crafted SOAP request to the Document Conversions Launcher Service in a SharePoint server environment that is using the Document Conversions Load Balancer Service. By default, the Document Conversions Load Balancer Service and Document Conversions Launcher Service are not enabled in Microsoft Office SharePoint Server 2007. | ||||
Vulnerabilities: CVE-2010-3964 |
Included Updates: 2433089 2455005 |
Applies to: Office 2007 |
Bulletin ID: MS10-103 |
Title: Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2292970) |
Update Type: Security Update |
Severity: Important |
Date: 2010-12-14 |
Description: This security update resolves five privately reported vulnerabilities in Microsoft Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-2569 CVE-2010-2570 CVE-2010-2571 CVE-2010-3954 CVE-2010-3955 |
Included Updates: 2284692 2284695 2284697 2292970 2409055 |
Applies to: Office 2002/XP Office 2003 Office 2007 Office 2010 |
Bulletin ID: MS10-102 |
Title: Vulnerability in Hyper-V Could Allow Denial of Service (2345316) |
Update Type: Security Update |
Severity: Important |
Date: 2010-12-14 |
Description: This security update resolves a privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a specially crafted packet is sent to the VMBus by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to send specially crafted content from a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2010-3960 |
Included Updates: 2345316 |
Applies to: Windows Server 2008 Windows Server 2008 R2 |
Bulletin ID: MS10-101 |
Title: Vulnerability in Windows Netlogon Service Could Allow Denial of Service (2207559) |
Update Type: Security Update |
Severity: Important |
Date: 2010-12-14 |
Description: This security update resolves a privately reported vulnerability in the Netlogon RPC Service on affected versions of Windows Server that are configured to serve as domain controllers. The vulnerability could allow denial of service if an attacker sends a specially crafted RPC packet to the Netlogon RPC Service interface on an affected system. An attacker requires administrator privileges on a machine that is joined to the same domain as the affected domain controller in order to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2010-2742 |
Included Updates: 2207559 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 |
Bulletin ID: MS10-100 |
Title: Vulnerability in Consent User Interface Could Allow Elevation of Privilege (2442962) |
Update Type: Security Update |
Severity: Important |
Date: 2010-12-14 |
Description: This security update resolves a privately reported vulnerability in the Consent User Interface (UI). The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application on an affected system. An attacker must have valid logon credentials and the SeImpersonatePrivilege and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2010-3961 |
Included Updates: 2442962 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 Windows Server 2008 R2 Windows Vista |
Bulletin ID: MS10-099 |
Title: Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege (2440591) |
Update Type: Security Update |
Severity: Important |
Date: 2010-12-14 |
Description: This security update addresses a privately reported vulnerability in the Routing and Remote Access NDProxy component of Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. For more information, see the subsection, Affected and Non-Affected Software, in this section. | ||||
Vulnerabilities: CVE-2010-3963 |
Included Updates: 2440591 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-097 |
Title: Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution (2443105) |
Update Type: Security Update |
Severity: Important |
Date: 2010-12-14 |
Description: This security update resolves a publicly disclosed vulnerability in the Internet Connection Signup Wizard of Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. For more information, see the subsection, Affected and Non-Affected Software, in this section. | ||||
Vulnerabilities: CVE-2010-3144 |
Included Updates: 2443105 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-096 |
Title: Vulnerability in Windows Address Book Could Allow Remote Code Execution (2423089) |
Update Type: Security Update |
Severity: Important |
Date: 2010-12-14 |
Description: This security update resolves a publicly disclosed vulnerability in Windows Address Book. The vulnerability could allow remote code execution if a user opens a Windows Address Book file located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application. | ||||
Vulnerabilities: CVE-2010-3147 |
Included Updates: 2423089 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-094 |
Title: Vulnerability in Windows Media Encoder Could Allow Remote Code Execution (2447961) |
Update Type: Security Update |
Severity: Important |
Date: 2010-12-14 |
Description: This security update resolves a publicly disclosed vulnerability in Windows Media Encoder. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate Windows Media Profile (.prx) file that is located in the same network directory as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application. | ||||
Vulnerabilities: CVE-2010-3965 |
Included Updates: 2447961 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-093 |
Title: Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (2424434) |
Update Type: Security Update |
Severity: Important |
Date: 2010-12-14 |
Description: This security update resolves a publicly disclosed vulnerability in Windows Movie Maker. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate Windows Movie Maker file that is located in the same network directory as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application. | ||||
Vulnerabilities: CVE-2010-3967 |
Included Updates: 2424434 |
Applies to: Windows Vista |
Bulletin ID: MS10-092 |
Title: Vulnerability in Task Scheduler Could Allow Elevation of Privilege (2305420) |
Update Type: Security Update |
Severity: Important |
Date: 2010-12-14 |
Description: This security update resolves a publicly disclosed vulnerability in Windows Task Scheduler. The vulnerability could allow elevation of privilege if an attacker logged on to an affected system and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2010-3338 |
Included Updates: 2305420 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 Windows Server 2008 R2 Windows Vista |
Bulletin ID: MS10-086 |
Title: Vulnerability in Windows Shared Cluster Disks Could Allow Tampering (2294255) |
Update Type: Security Update |
Severity: Moderate |
Date: 2010-12-14 |
Description: This security update resolves a privately reported vulnerability in Windows Server 2008 R2 when used as a shared failover cluster. The vulnerability could allow data tampering on the administrative shares of failover cluster disks. By default, Windows Server 2008 R2 servers are not affected by this vulnerability. This vulnerability only applies to the cluster disks used in a failover cluster. | ||||
Vulnerabilities: CVE-2010-3223 |
Included Updates: 2294255 |
Applies to: Windows Server 2008 R2 |
Bulletin ID: MS10-083 |
Title: Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution (2405882) |
Update Type: Security Update |
Severity: Important |
Date: 2010-12-14 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted file using WordPad or selects or opens a shortcut file that is on a network or WebDAV share. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-1263 |
Included Updates: 2405882 979687 979688 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-076 |
Title: Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (982132) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-12-14 |
Description: This security update resolves a privately reported vulnerability in a Microsoft Windows component, the Embedded OpenType (EOT) Font Engine. The vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-1883 |
Included Updates: 982132 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-075 |
Title: Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution (2281679) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-12-14 |
Description: This security update resolves a privately reported vulnerability in the Microsoft Windows Media Player Network Sharing Service. The vulnerability could allow remote code execution if an attacker sent a specially crafted RTSP packet to an affected system. However, Internet access to home media is disabled by default. In this default configuration, the vulnerability can be exploited only by an attacker within the same subnet. | ||||
Vulnerabilities: CVE-2010-3225 |
Included Updates: 2281679 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Vista |
Bulletin ID: MS10-074 |
Title: Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution (2387149) |
Update Type: Security Update |
Severity: Moderate |
Date: 2010-12-14 |
Description: This security update resolves a publicly disclosed vulnerability in the Microsoft Foundation Class (MFC) Library. The vulnerability could allow remote code execution if a user is logged on with administrative user rights and opens an application built with the MFC Library. An attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-3227 |
Included Updates: 2387149 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-088 |
Title: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386) |
Update Type: Security Update |
Severity: Important |
Date: 2010-11-09 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-2572 CVE-2010-2573 |
Included Updates: 2293386 2413272 2413304 2413381 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS10-087 |
Title: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-11-09 |
Description: This security update resolves one publicly disclosed vulnerability and five privately reported vulnerabilities in Microsoft Office. The most severe vulnerability could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-2573 CVE-2010-3333 CVE-2010-3334 CVE-2010-3335 CVE-2010-3336 CVE-2010-3337 |
Included Updates: 2289158 2289161 2289169 2289187 2423930 |
Applies to: Office 2002/XP Office 2003 Office 2007 Office 2010 |
Bulletin ID: MS10-084 |
Title: Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege (2360937) |
Update Type: Security Update |
Severity: Important |
Date: 2010-10-12 |
Description: This security update resolves a publicly disclosed vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. For more information, see the subsection, Affected and Non-Affected Software, in this section. | ||||
Vulnerabilities: CVE-2010-3222 |
Included Updates: 2360937 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-082 |
Title: Vulnerability in Windows Media Player Could Allow Remote Code Execution (2378111) |
Update Type: Security Update |
Severity: Important |
Date: 2010-10-12 |
Description: This security update resolves a privately reported vulnerability in Windows Media Player. The vulnerability could allow remote code execution if Windows Media Player opened specially crafted media content hosted on a malicious Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-2745 |
Included Updates: 2378111 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-080 |
Title: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2293211) |
Update Type: Security Update |
Severity: Important |
Date: 2010-10-12 |
Description: This security update resolves thirteen privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file or a specially crafted Lotus 1-2-3 file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-3230 CVE-2010-3231 CVE-2010-3232 CVE-2010-3233 CVE-2010-3234 CVE-2010-3235 CVE-2010-3236 CVE-2010-3237 CVE-2010-3238 CVE-2010-3239 CVE-2010-3240 CVE-2010-3241 CVE-2010-3242 |
Included Updates: 2293211 2344875 2344893 2345017 2345035 2345088 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS10-079 |
Title: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2293194) |
Update Type: Security Update |
Severity: Important |
Date: 2010-10-12 |
Description: This security update resolves eleven privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-2747 CVE-2010-2748 CVE-2010-2750 CVE-2010-3214 CVE-2010-3215 CVE-2010-3216 CVE-2010-3217 CVE-2010-3218 CVE-2010-3219 CVE-2010-3220 CVE-2010-3221 |
Included Updates: 2293194 2328360 2344911 2344993 2345000 2345009 2345015 2345043 2346411 |
Applies to: Office 2002/XP Office 2003 Office 2007 Office 2010 |
Bulletin ID: MS10-078 |
Title: Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (2279986) |
Update Type: Security Update |
Severity: Important |
Date: 2010-10-12 |
Description: This security update resolves two privately reported vulnerabilities in the Windows OpenType Font (OTF) format driver. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. For more information, see the subsection, Affected and Non-Affected Software, in this section. | ||||
Vulnerabilities: CVE-2010-2740 CVE-2010-2741 |
Included Updates: 2279986 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-072 |
Title: Vulnerabilities in SafeHTML Could Allow Information Disclosure (2412048) |
Update Type: Security Update |
Severity: Important |
Date: 2010-10-12 |
Description: This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft SharePoint and Windows SharePoint Services. The vulnerabilities could allow information disclosure if an attacker submits specially crafted script to a target site using SafeHTML. | ||||
Vulnerabilities: CVE-2010-3243 CVE-2010-3324 |
Included Updates: 2345212 2345304 2345322 2346298 2412048 |
Applies to: Office 2007 Office 2010 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 |
Bulletin ID: MS10-062 |
Title: Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution (975558) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-10-12 |
Description: This security update resolves a privately reported vulnerability in MPEG-4 codec. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0818 |
Included Updates: 975558 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-069 |
Title: Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege (2121546) |
Update Type: Security Update |
Severity: Important |
Date: 2010-09-14 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. For more information, see the subsection, Affected and Non-Affected Software, in this section. | ||||
Vulnerabilities: CVE-2010-1891 |
Included Updates: 2121546 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-068 |
Title: Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation of Privilege (983539) |
Update Type: Security Update |
Severity: Important |
Date: 2010-09-14 |
Description: This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow elevation of privilege if an authenticated attacker sent specially crafted Lightweight Directory Access Protocol (LDAP) messages to a listening LSASS server. In order to successfully exploit this vulnerability, an attacker must have a member account within the target Windows domain. However, the attacker does not need to have a workstation joined to the Windows domain. | ||||
Vulnerabilities: CVE-2010-0820 |
Included Updates: 981550 982000 983539 |
Applies to: Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-067 |
Title: Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2259922) |
Update Type: Security Update |
Severity: Important |
Date: 2010-09-14 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. For more information, see the subsection, Affected and Non-Affected Software, in this section. | ||||
Vulnerabilities: CVE-2010-2563 |
Included Updates: 2259922 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-066 |
Title: Vulnerability in Remote Procedure Call Could Allow Remote Code Execution (982802) |
Update Type: Security Update |
Severity: Important |
Date: 2010-09-14 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. For more information, see the subsection, Affected and Non-Affected Software, in this section. | ||||
Vulnerabilities: CVE-2010-2567 |
Included Updates: 982802 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-065 |
Title: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960) |
Update Type: Security Update |
Severity: Important |
Date: 2010-09-14 |
Description: This security update resolves two privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Information Services (IIS). The most severe of these vulnerabilities could allow remote code execution if a client sends a specially crafted HTTP request to the server. An attacker who successfully exploited this vulnerability could take complete control of an affected system. | ||||
Vulnerabilities: CVE-2010-1899 CVE-2010-2730 CVE-2010-2731 |
Included Updates: 2124261 2267960 2271195 2290570 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-064 |
Title: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2315011) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-09-14 |
Description: This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened or previewed a specially crafted e-mail message using an affected version of Microsoft Outlook that is connected to an Exchange server with Online Mode. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-2728 |
Included Updates: 2288953 2293422 2293428 2315011 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS10-063 |
Title: Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2320113) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-09-14 |
Description: This security update resolves a privately reported vulnerability in the Unicode Scripts Processor. The vulnerability could allow remote code execution if a user viewed a specially crafted document or Web page with an application that supports embedded OpenType fonts. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-2738 |
Included Updates: 2288608 2288613 2288621 2320113 981322 |
Applies to: Office 2002/XP Office 2003 Office 2007 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-061 |
Title: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-09-14 |
Description: This security update resolves a publicly disclosed vulnerability in the Print Spooler service. The vulnerability could allow remote code execution if an attacker sends a specially crafted print request to a vulnerable system that has a print spooler interface exposed over RPC. By default, printers are not shared on any currently supported Windows operating system. | ||||
Vulnerabilities: CVE-2010-2729 |
Included Updates: 2347290 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-050 |
Title: Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997) |
Update Type: Security Update |
Severity: Important |
Date: 2010-08-24 |
Description: This security update resolves a privately reported vulnerability in Windows Movie Maker. The vulnerability could allow remote code execution if an attacker sent a specially crafted Movie Maker project file and convinced the user to open the specially crafted file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-2564 |
Included Updates: 981997 |
Applies to: Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-060 |
Title: Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-08-10 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in convincing a user to run a specially crafted Microsoft .NET application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing the page, as could be the case in a Web hosting scenario. | ||||
Vulnerabilities: CVE-2010-0019 CVE-2010-1898 |
Included Updates: 2265906 978464 983582 983583 983587 983588 983589 983590 |
Applies to: Silverlight Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-059 |
Title: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) |
Update Type: Security Update |
Severity: Important |
Date: 2010-08-10 |
Description: This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in the Tracing Feature for Services. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2010-2554 CVE-2010-2555 |
Included Updates: 982799 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 Windows Server 2008 R2 Windows Vista |
Bulletin ID: MS10-057 |
Title: Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707) |
Update Type: Security Update |
Severity: Important |
Date: 2010-08-10 |
Description: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-2562 |
Included Updates: 2264397 2264403 2269707 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS10-056 |
Title: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-08-10 |
Description: This security update resolves four privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-1900 CVE-2010-1901 CVE-2010-1902 CVE-2010-1903 |
Included Updates: 2092914 2251389 2251399 2251419 2251437 2269638 2277947 |
Applies to: Microsoft Works 9 Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS10-055 |
Title: Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-08-10 |
Description: This security update resolves a privately reported vulnerability in Cinepak Codec. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-2553 |
Included Updates: 982665 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-052 |
Title: Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-08-10 |
Description: This security update resolves a privately reported vulnerability in Microsoft MPEG Layer-3 audio codecs. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-1882 |
Included Updates: 2115168 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-045 |
Title: Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (978212) |
Update Type: Security Update |
Severity: Important |
Date: 2010-07-13 |
Description: This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0266 |
Included Updates: 978212 980371 980373 980376 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS10-044 |
Title: Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution (982335) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-07-13 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. The vulnerabilities could allow remote code execution if a user opened a specially crafted Office file or viewed a Web page that instantiated Access ActiveX controls. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0814 CVE-2010-1881 |
Included Updates: 979440 981716 982335 |
Applies to: Office 2003 Office 2007 |
Bulletin ID: MS10-043 |
Title: Vulnerability in Canonical Display Driver Could Allow Remote Code Execution (2032276) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-07-13 |
Description: This security update resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart. | ||||
Vulnerabilities: CVE-2009-3678 |
Included Updates: 2032276 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 R2 |
Bulletin ID: MS10-042 |
Title: Vulnerability in Help and Support Center Could Allow Remote Code Execution (2229593) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-07-13 |
Description: This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must click a link listed within an e-mail message. | ||||
Vulnerabilities: CVE-2010-1885 |
Included Updates: 2229593 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-041 |
Title: Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343) |
Update Type: Security Update |
Severity: Important |
Date: 2010-07-13 |
Description: This security update resolves a publicly disclosed vulnerability in Microsoft .NET Framework. The vulnerability could allow data tampering of signed XML content without being detected. In custom applications, the security impact depends on how the signed content is used in the specific application. Scenarios in which signed XML messages are transmitted over a secure channel (such as SSL) are not affected by this vulnerability. | ||||
Vulnerabilities: CVE-2009-0217 |
Included Updates: 979904 979906 979907 979909 979910 979911 979913 979916 981343 982865 |
Applies to: Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-026 |
Title: Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (977816) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-06-22 |
Description: This security update resolves a privately reported vulnerability in Microsoft MPEG Layer-3 audio codecs. The vulnerability could allow remote code execution if a user opened a specially crafted AVI file containing an MPEG Layer-3 audio stream. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0480 |
Included Updates: 977816 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-061 |
Title: Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-06-22 |
Description: This security update resolves three privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in persuading a user to run a specially crafted Microsoft .NET application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing it, as could be the case in a Web hosting scenario. Microsoft .NET applications, Silverlight applications, XBAPs and ASP.NET pages that are not malicious are not at risk of being compromised because of this vulnerability. | ||||
Vulnerabilities: CVE-2009-0090 CVE-2009-0091 CVE-2009-2497 |
Included Updates: 953295 953297 953298 953300 974291 974292 974378 974417 974467 974468 974469 974470 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-040 |
Title: Vulnerability in Internet Information Services Could Allow Remote Code Execution (982666) |
Update Type: Security Update |
Severity: Important |
Date: 2010-06-08 |
Description: This security update resolves a privately reported vulnerability in Internet Information Services (IIS). The vulnerability could allow remote code execution if a user received a specially crafted HTTP request. An attacker who successfully exploited this vulnerability could take complete control of an affected system. | ||||
Vulnerabilities: CVE-2010-1256 |
Included Updates: 982666 |
Applies to: Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista |
Bulletin ID: MS10-039 |
Title: Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554) |
Update Type: Security Update |
Severity: Important |
Date: 2010-06-08 |
Description: This security update resolves one publicly disclosed and two privately reported vulnerabilities in Microsoft SharePoint. The most severe vulnerability could allow elevation of privilege if an attacker convinced a user of a targeted SharePoint site to click on a specially crafted link. | ||||
Vulnerabilities: CVE-2010-0817 CVE-2010-1257 CVE-2010-1264 |
Included Updates: 2028554 979441 979445 980923 983444 |
Applies to: Office 2003 Office 2007 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 |
Bulletin ID: MS10-038 |
Title: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (2027452) |
Update Type: Security Update |
Severity: Important |
Date: 2010-06-08 |
Description: This security update resolves fourteen privately reported vulnerabilities in Microsoft Office. The more severe vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0821 CVE-2010-0822 CVE-2010-0823 CVE-2010-0824 CVE-2010-1245 CVE-2010-1246 CVE-2010-1247 CVE-2010-1248 CVE-2010-1249 CVE-2010-1250 CVE-2010-1251 CVE-2010-1252 CVE-2010-1253 CVE-2010-1254 |
Included Updates: 2027452 982299 982331 982333 |
Applies to: Office 2002/XP Office 2007 |
Bulletin ID: MS10-036 |
Title: Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (983235) |
Update Type: Security Update |
Severity: Important |
Date: 2010-06-08 |
Description: This security update resolves a privately reported vulnerability in COM validation in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel, Word, Visio, Publisher, or PowerPoint file with an affected version of Microsoft Office. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message. | ||||
Vulnerabilities: CVE-2010-1263 |
Included Updates: 982122 982124 982126 982127 982133 982134 982135 982157 982158 982308 982311 982312 983235 |
Applies to: Office 2003 Office 2007 |
Bulletin ID: MS10-035 |
Title: Cumulative Security Update for Internet Explorer (982381) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-06-08 |
Description: This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0255 CVE-2010-1257 CVE-2010-1259 CVE-2010-1260 CVE-2010-1261 CVE-2010-1262 |
Included Updates: 982381 |
Applies to: Windows 2000 Windows 7 Windows Internet Explorer 7.0 Dynamic Installer Windows Internet Explorer 8 Dynamic Installer Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-033 |
Title: Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-06-08 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Windows. These vulnerabilities could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-1879 CVE-2010-1880 |
Included Updates: 975562 978695 979332 979482 979902 |
Applies to: Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-031 |
Title: Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (978213) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-05-11 |
Description: This security update resolves a privately reported vulnerability in Microsoft Visual Basic for Applications. The vulnerability could allow remote code execution if a host application opens and passes a specially crafted file to the Visual Basic for Applications runtime. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0815 |
Included Updates: 976321 976380 976382 978213 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS10-030 |
Title: Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution (978542) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-05-11 |
Description: This security update resolves a privately reported vulnerability in Outlook Express, Windows Mail, and Windows Live Mail. The vulnerability could allow remote code execution if a user visits a malicious e-mail server. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0816 |
Included Updates: 978542 |
Applies to: Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-025 |
Title: Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-04-27 |
Description: This security update resolves a privately reported vulnerability in Windows Media Services running on Microsoft Windows 2000 Server. The vulnerability could allow remote code execution if an attacker sent a specially crafted transport information packet to a Microsoft Windows 2000 Server system running Windows Media Services. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. On Microsoft Windows 2000 Server, Windows Media Services is an optional component and is not installed by default. | ||||
Vulnerabilities: CVE-2010-0478 |
Included Updates: 980858 |
Applies to: Windows 2000 |
Bulletin ID: MS10-024 |
Title: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832) |
Update Type: Security Update |
Severity: Important |
Date: 2010-04-16 |
Description: This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Exchange and Windows SMTP Service. The more severe of these vulnerabilities could allow denial of service if an attacker sent a specially crafted DNS response to a computer running the SMTP service. By default, the SMTP component is not installed on Windows Server 2003, Windows Server 2003 x64 Edition, or Windows XP Professional x64 Edition. | ||||
Vulnerabilities: CVE-2010-0024 CVE-2010-0025 |
Included Updates: 976323 976702 976703 981832 |
Applies to: Exchange 2000 Server Exchange Server 2003 Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-029 |
Title: Vulnerability in Windows ISATAP Component Could Allow Spoofing (978338) |
Update Type: Security Update |
Severity: Moderate |
Date: 2010-04-13 |
Description: This security update resolves one privately reported vulnerability in Microsoft Windows. This security update is rated Moderate for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Windows 7 and Windows Server 2008 R2 are not vulnerable because these operating systems include the feature deployed by this security update. For more information, see the subsection, Affected and Non-Affected Software, in this section. | ||||
Vulnerabilities: CVE-2010-0812 |
Included Updates: 978338 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-028 |
Title: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094) |
Update Type: Security Update |
Severity: Important |
Date: 2010-04-13 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Office Visio. The vulnerabilities could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0254 CVE-2010-0256 |
Included Updates: 979356 979364 979365 980094 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS10-027 |
Title: Vulnerability in Windows Media Player Could Allow Remote Code Execution (979402) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-04-13 |
Description: This security update resolves a privately reported vulnerability in Windows Media Player. The vulnerability could allow remote code execution if Windows Media Player opened specially crafted media content hosted on a malicious Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0268 |
Included Updates: 979402 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS10-023 |
Title: Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (981160) |
Update Type: Security Update |
Severity: Important |
Date: 2010-04-13 |
Description: This security update resolves a privately reported vulnerability in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0479 |
Included Updates: 980466 980469 980470 981160 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS09-033 |
Title: Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856) |
Update Type: Security Update |
Severity: Important |
Date: 2010-03-15 |
Description: This security update resolves a privately reported vulnerability in Microsoft Virtual PC and Microsoft Virtual Server. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected guest operating system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
Vulnerabilities: CVE-2009-1542 |
Included Updates: 969856 |
Applies to: Virtual PC Virtual Server |
Bulletin ID: MS10-017 |
Title: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150) |
Update Type: Security Update |
Severity: Important |
Date: 2010-03-09 |
Description: This security update resolves seven privately reported vulnerabilities in Microsoft Office Excel. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0257 CVE-2010-0258 CVE-2010-0260 CVE-2010-0261 CVE-2010-0262 CVE-2010-0263 CVE-2010-0264 |
Included Updates: 978380 978382 978383 978471 978474 979439 980150 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS10-016 |
Title: Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561) |
Update Type: Security Update |
Severity: Important |
Date: 2010-03-09 |
Description: This security update addresses a privately reported vulnerability in Windows Movie Maker and Microsoft Producer 2003. Windows Live Movie Maker, which is available for Windows Vista and Windows 7, is not affected by this vulnerability. The vulnerability could allow remote code execution if an attacker sent a specially crafted Movie Maker or Microsoft Producer project file and convinced the user to open the specially crafted file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0265 |
Included Updates: 975561 |
Applies to: Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-015 |
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) |
Update Type: Security Update |
Severity: Important |
Date: 2010-03-02 |
Description: This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on to the system and then ran a specially crafted application. To exploit either vulnerability, an attacker must have valid logon credentials and be able to log on locally. The vulnerabilities could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2010-0232 CVE-2010-0233 |
Included Updates: 977165 |
Applies to: Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-014 |
Title: Vulnerability in Kerberos Could Allow Denial of Service (977290) |
Update Type: Security Update |
Severity: Important |
Date: 2010-02-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a specially crafted ticket renewal request is sent to the Windows Kerberos domain from an authenticated user on a trusted non-Windows Kerberos realm. The denial of service could persist until the domain controller is restarted. | ||||
Vulnerabilities: CVE-2010-0035 |
Included Updates: 977290 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 |
Bulletin ID: MS10-013 |
Title: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-02-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft DirectShow. The vulnerability could allow remote code execution if a user opened a specially crafted AVI file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0250 |
Included Updates: 975560 977914 977935 |
Applies to: Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-011 |
Title: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (978037) |
Update Type: Security Update |
Severity: Important |
Date: 2010-02-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows 2000, Windows XP, and Windows Server 2003. Other versions of Windows are not affected. The vulnerability could allow elevation of privilege if an attacker logs on to the system and starts a specially crafted application designed to continue running after the attacker logs out. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited by anonymous users. | ||||
Vulnerabilities: CVE-2010-0023 |
Included Updates: 978037 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-010 |
Title: Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service (977894) |
Update Type: Security Update |
Severity: Important |
Date: 2010-02-09 |
Description: This security update resolves a privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a malformed sequence of machine instructions is run by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to log on locally into a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2010-0026 |
Included Updates: 977894 |
Applies to: Windows Server 2008 Windows Server 2008 R2 |
Bulletin ID: MS10-009 |
Title: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-02-09 |
Description: This security update resolves four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if specially crafted packets are sent to a computer with IPv6 enabled. An attacker could try to exploit the vulnerability by creating specially crafted ICMPv6 packets and sending the packets to a system with IPv6 enabled. This vulnerability may only be exploited if the attacker is on-link. | ||||
Vulnerabilities: CVE-2010-0239 CVE-2010-0240 CVE-2010-0241 CVE-2010-0242 |
Included Updates: 974145 |
Applies to: Windows Server 2008 Windows Vista |
Bulletin ID: MS10-007 |
Title: Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-02-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows 2000, Windows XP, and Windows Server 2003. Other versions of Windows are not impacted by this security update. The vulnerability could allow remote code execution if an application, such as a Web browser, passes specially crafted data to the ShellExecute API function through the Windows Shell Handler. | ||||
Vulnerabilities: CVE-2010-0027 |
Included Updates: 975713 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-005 |
Title: Vulnerability in Microsoft Paint Could Allow Remote Code Execution (978706) |
Update Type: Security Update |
Severity: Moderate |
Date: 2010-02-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Paint. The vulnerability could allow remote code execution if a user viewed a specially crafted JPEG image file using Microsoft Paint. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0028 |
Included Updates: 978706 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-004 |
Title: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (975416) |
Update Type: Security Update |
Severity: Important |
Date: 2010-02-09 |
Description: This security update resolves six privately reported vulnerabilities in Microsoft Office PowerPoint. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0029 CVE-2010-0030 CVE-2010-0031 CVE-2010-0032 CVE-2010-0033 CVE-2010-0034 |
Included Updates: 973143 975416 976881 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS10-003 |
Title: Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution (978214) |
Update Type: Security Update |
Severity: Important |
Date: 2010-02-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0243 |
Included Updates: 977896 978214 |
Applies to: Office 2002/XP |
Bulletin ID: MS09-060 |
Title: Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-02-09 |
Description: This security update resolves several privately reported vulnerabilities in ActiveX Controls for Microsoft Office that were compiled with a vulnerable version of Microsoft Active Template Library (ATL). The vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-0901 CVE-2009-2493 CVE-2009-2495 |
Included Updates: 972363 973702 973705 973709 973965 974234 974554 974556 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS10-001 |
Title: Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270) |
Update Type: Security Update |
Severity: Critical |
Date: 2010-01-12 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font in client applications that can render EOT fonts, such as Microsoft Internet Explorer, Microsoft Office PowerPoint, or Microsoft Office Word. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-0018 |
Included Updates: 972270 |
Applies to: Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-074 |
Title: Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-12-08 |
Description: This security update resolves a privately reported vulnerability in Microsoft Office Project. The vulnerability could allow remote code execution if a user opens a specially crafted Project file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-0102 |
Included Updates: 961079 961082 967183 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS09-073 |
Title: Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539) |
Update Type: Security Update |
Severity: Important |
Date: 2009-12-08 |
Description: This security update resolves a privately reported vulnerability in Microsoft WordPad and Microsoft Office text converters. The vulnerability could allow remote code execution if a specially crafted Word 97 file is opened in WordPad or Microsoft Office. An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. | ||||
Vulnerabilities: CVE-2009-2506 |
Included Updates: 973904 974882 975008 975051 975539 977304 |
Applies to: Microsoft Works 8 Office 2002/XP Office 2003 Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-071 |
Title: Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-12-08 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if messages received by the Internet Authentication Service server are copied incorrectly into memory when handling PEAP authentication attempts. On Windows Server 2008, the Internet Authentication Service is replaced by Network Policy Server (NPS). An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. Servers using Internet Authentication Service or Network Policy Server are only affected when using PEAP with MS-CHAP v2 authentication. | ||||
Vulnerabilities: CVE-2009-2505 CVE-2009-3677 |
Included Updates: 974318 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-070 |
Title: Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726) |
Update Type: Security Update |
Severity: Important |
Date: 2009-12-08 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if an attacker sent a specially crafted HTTP request to an ADFS-enabled Web server. An attacker would need to be an authenticated user in order to exploit either of these vulnerabilities. | ||||
Vulnerabilities: CVE-2009-2508 CVE-2009-2509 |
Included Updates: 971726 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 |
Bulletin ID: MS09-069 |
Title: Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392) |
Update Type: Security Update |
Severity: Important |
Date: 2009-12-08 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow a denial of service if a remote, authenticated attacker, while communicating through Internet Protocol security (IPsec), sends a specially crafted ISAKMP message to the Local Security Authority Subsystem Service (LSASS) on an affected system. | ||||
Vulnerabilities: CVE-2009-3675 |
Included Updates: 974392 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-037 |
Title: Vulnerabilities in DNS Could Allow Spoofing (953230) |
Update Type: Security Update |
Severity: Important |
Date: 2009-12-08 |
Description: This security update resolves two privately reported vulnerabilities in the Windows Domain Name System (DNS) that could allow spoofing. These vulnerabilities exist in both the DNS client and DNS server and could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker’s own systems. | ||||
Vulnerabilities: CVE-2008-1447 CVE-2008-1454 |
Included Updates: 951746 951748 953230 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-076 |
Title: Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807) |
Update Type: Security Update |
Severity: Important |
Date: 2009-11-24 |
Description: This security update resolves two privately reported vulnerabilities in the following Windows Media components: Windows Media Player, Windows Media Format Runtime, and Windows Media Services. The most severe vulnerability could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-3009 CVE-2008-3010 |
Included Updates: 952068 952069 954600 959807 972187 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-068 |
Title: Vulnerability in Microsoft Office Word Could Allow Remote Code Execution (976307) |
Update Type: Security Update |
Severity: Important |
Date: 2009-11-10 |
Description: This security update resolves a privately reported vulnerability that could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-3135 |
Included Updates: 973443 973444 973866 976307 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS09-067 |
Title: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652) |
Update Type: Security Update |
Severity: Important |
Date: 2009-11-10 |
Description: This security update resolves several privately reported vulnerabilities in Microsoft Office Excel. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-3127 CVE-2009-3128 CVE-2009-3129 CVE-2009-3130 CVE-2009-3131 CVE-2009-3132 CVE-2009-3133 CVE-2009-3134 |
Included Updates: 972652 973471 973475 973484 973593 973704 973707 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS09-066 |
Title: Vulnerability in Active Directory Could Allow Denial of Service (973309) |
Update Type: Security Update |
Severity: Important |
Date: 2009-11-10 |
Description: This security update resolves a privately reported vulnerability in Active Directory directory service, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow denial of service if stack space was exhausted during execution of certain types of LDAP or LDAPS requests. This vulnerability only affects domain controllers and systems configured to run ADAM or AD LDS. | ||||
Vulnerabilities: CVE-2009-1928 |
Included Updates: 973037 973039 973309 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-065 |
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-11-10 |
Description: This security update resolves several privately reported vulnerabilities in the Windows kernel. The most severe of the vulnerabilities could allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font. In a Web-based attack scenario, an attacker would have to host a Web site that contains specially crafted embedded fonts that are used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince the user to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes the user to the attacker's site. | ||||
Vulnerabilities: CVE-2009-1127 CVE-2009-2513 CVE-2009-2514 |
Included Updates: 969947 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-064 |
Title: Vulnerability in License Logging Server Could Allow Remote Code Execution (974783) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-11-10 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows 2000. The vulnerability could allow remote code execution if an attacker sent a specially crafted network message to a computer running the License Logging Server. An attacker who successfully exploited this vulnerability could take complete control of the system. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. | ||||
Vulnerabilities: CVE-2009-2523 |
Included Updates: 974783 |
Applies to: Windows 2000 |
Bulletin ID: MS09-063 |
Title: Vulnerability in Web Services on Devices API Could Allow Remote Code Execution (973565) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-11-10 |
Description: This security update resolves a privately reported vulnerability in the Web Services on Devices Application Programming Interface (WSDAPI) on the Windows operating system. The vulnerability could allow remote code execution if an affected Windows system receives a specially crafted packet. Only attackers on the local subnet would be able to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2009-2512 |
Included Updates: 973565 |
Applies to: Windows Server 2008 Windows Vista |
Bulletin ID: MS09-051 |
Title: Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution (975682) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-11-10 |
Description: This security update resolves two privately reported vulnerabilities in Windows Media Runtime. The vulnerabilities could allow remote code execution if a user opened a specially crafted media file or received specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-0555 CVE-2009-2525 |
Included Updates: 954155 969878 975025 975682 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-045 |
Title: Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-11-10 |
Description: This security update resolves a privately reported vulnerability in the JScript scripting engine that could allow remote code execution if a user opened a specially crafted file or visited a specially crafted Web site and invoked a malformed script. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-1920 |
Included Updates: 971961 975542 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-070 |
Title: Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-11-10 |
Description: This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in the ActiveX controls for the Microsoft Visual Basic 6.0 Runtime Extended Files. These vulnerabilities could allow remote code execution if a user browsed a Web site that contains specially crafted content. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-3704 CVE-2008-4252 CVE-2008-4253 CVE-2008-4254 CVE-2008-4255 CVE-2008-4256 |
Included Updates: 932349 949045 949046 957797 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS08-069 |
Title: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-11-10 |
Description: This security update resolves several vulnerabilities in Microsoft XML Core Services. The most severe vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2007-0099 CVE-2008-4029 CVE-2008-4033 |
Included Updates: 951535 951550 951597 954430 954459 955069 955218 |
Applies to: Office 2003 Office 2007 Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-043 |
Title: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-10-27 |
Description: This security update resolves several privately reported vulnerabilities in Microsoft Office Web Components that could allow remote code execution if a user viewed a specially crafted Web page. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-0562 CVE-2009-1136 CVE-2009-1534 CVE-2009-2496 |
Included Updates: 947318 947319 947320 947826 957638 968377 971388 |
Applies to: Acceleration Server 2004 Acceleration Server 2006 BizTalk Server 2002 Internet Security Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS09-062 |
Title: Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-10-13 |
Description: This security update resolves several privately reported vulnerabilities in Microsoft Windows GDI+. These vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using affected software or browsed a Web site that contains specially crafted content. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-2500 CVE-2009-2501 CVE-2009-2502 CVE-2009-2503 CVE-2009-2504 CVE-2009-2518 CVE-2009-2528 CVE-2009-3126 |
Included Updates: 957488 958869 970892 970894 970895 970896 970899 971023 971108 971110 971111 971117 971118 971119 972221 972222 972580 972581 973636 974811 975365 975962 |
Applies to: Forefront Client Security Microsoft Works 8 Office 2002/XP Office 2003 Office 2007 Report Viewer 2005 Report Viewer 2008 SQL Server 2000 SQL Server 2005 Visual Studio 2005 Visual Studio 2008 Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-059 |
Title: Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (975467) |
Update Type: Security Update |
Severity: Important |
Date: 2009-10-13 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sent a maliciously crafted packet during the NTLM authentication process. | ||||
Vulnerabilities: CVE-2009-2524 |
Included Updates: 975467 |
Applies to: Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-058 |
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (971486) |
Update Type: Security Update |
Severity: Important |
Date: 2009-10-13 |
Description: This security update resolves several privately reported vulnerabilities in the Windows kernel. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logged on to the system and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit any of these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2009-2515 CVE-2009-2516 CVE-2009-2517 |
Included Updates: 971486 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-057 |
Title: Vulnerability in Indexing Service Could Allow Remote Code Execution (969059) |
Update Type: Security Update |
Severity: Important |
Date: 2009-10-13 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker set up a malicious Web page that invokes the Indexing Service through a call to its ActiveX component. This call could include a malicious URL and exploit the vulnerability, granting the attacker access to the client system with the privileges of the user browsing the Web page. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-2507 |
Included Updates: 969059 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-056 |
Title: Vulnerabilities in Windows CryptoAPI Could Allow Spoofing (974571) |
Update Type: Security Update |
Severity: Important |
Date: 2009-10-13 |
Description: This security update resolves two publicly disclosed vulnerabilities in Microsoft Windows. The vulnerabilities could allow spoofing if an attacker gains access to the certificate used by the end user for authentication. | ||||
Vulnerabilities: CVE-2009-2510 CVE-2009-2511 |
Included Updates: 974571 |
Applies to: Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-053 |
Title: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) |
Update Type: Security Update |
Severity: Important |
Date: 2009-10-13 |
Description: This security update resolves two publicly disclosed vulnerabilities in the FTP Service in Microsoft Internet Information Services (IIS) 5.0, Microsoft Internet Information Services (IIS) 5.1, Microsoft Internet Information Services (IIS) 6.0, and Microsoft Internet Information Services (IIS) 7.0. On IIS 7.0, only FTP Service 6.0 is affected. The vulnerabilities could allow remote code execution (RCE) on systems running FTP Service on IIS 5.0, or denial of service (DoS) on systems running FTP Service on IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0. | ||||
Vulnerabilities: CVE-2009-2521 CVE-2009-3023 |
Included Updates: 975254 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-052 |
Title: Vulnerability in Windows Media Player Could Allow Remote Code Execution (974112) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-10-13 |
Description: This security update resolves a privately reported vulnerability in Windows Media Player. The vulnerability could allow remote code execution if a specially crafted ASF file is played using Microsoft Windows Media Player 6.4. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-2527 |
Included Updates: 974112 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-050 |
Title: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-10-13 |
Description: This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. | ||||
Vulnerabilities: CVE-2009-2526 CVE-2009-2532 CVE-2009-3103 |
Included Updates: 975517 |
Applies to: Windows Server 2008 Windows Vista |
Bulletin ID: MS08-055 |
Title: Vulnerability in Microsoft Office Could Allow Remote Code Execution (955047) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-10-13 |
Description: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user clicks a specially crafted OneNote URL. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-3007 |
Included Updates: 950130 951944 953404 955047 |
Applies to: Office 2003 Office 2007 |
Bulletin ID: MS09-047 |
Title: Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-09-22 |
Description: This security update resolves two privately reported vulnerabilities in Windows Media Format. Either vulnerability could allow remote code execution if a user opened a specially crafted media file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-2498 CVE-2009-2499 |
Included Updates: 968816 972554 973812 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-049 |
Title: Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-09-08 |
Description: This security update resolves a privately reported vulnerability in Wireless LAN AutoConfig Service. The vulnerability could allow remote code execution if a client or server with a wireless network interface enabled receives specially crafted wireless frames. Systems without a wireless card enabled are not at risk from this vulnerability. | ||||
Vulnerabilities: CVE-2009-1132 |
Included Updates: 970710 |
Applies to: Windows Server 2008 Windows Vista |
Bulletin ID: MS09-048 |
Title: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-09-08 |
Description: This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. | ||||
Vulnerabilities: CVE-2008-4609 CVE-2009-1925 CVE-2009-1926 |
Included Updates: 967723 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista |
Bulletin ID: MS09-046 |
Title: Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-09-08 |
Description: This security update resolves a privately reported vulnerability in the DHTML Editing Component ActiveX control. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-2519 |
Included Updates: 956844 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-044 |
Title: Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-09-08 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Remote Desktop Connection. The vulnerabilities could allow remote code execution if an attacker successfully convinced a user of Terminal Services to connect to a malicious RDP server or if a user visits a specially crafted Web site that exploits this vulnerability. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-1133 CVE-2009-1929 |
Included Updates: 956744 958469 958470 958471 970927 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-037 |
Title: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-09-08 |
Description: This security update resolves several privately reported vulnerabilities in Microsoft Active Template Library (ATL). The vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control hosted on a malicious website. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-0015 CVE-2008-0020 CVE-2009-0901 CVE-2009-2493 CVE-2009-2494 |
Included Updates: 973354 973507 973540 973768 973815 973869 973908 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-036 |
Title: Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957) |
Update Type: Security Update |
Severity: Important |
Date: 2009-08-25 |
Description: This security update addresses a privately reported Denial of Service vulnerability in the Microsoft .NET Framework component of Microsoft Windows. This vulnerability can be exploited only when Internet Information Services (IIS) 7.0 is installed and ASP.NET is configured to use integrated mode on affected versions of Microsoft Windows. An attacker could create specially crafted anonymous HTTP requests that could cause the affected Web server to become non-responsive until the associated application pool is restarted. Customers who are running IIS 7.0 application pools in classic mode are not affected by this vulnerability. | ||||
Vulnerabilities: CVE-2009-1536 |
Included Updates: 970957 972591 972592 972593 972594 |
Applies to: Windows Server 2008 Windows Vista |
Bulletin ID: MS09-029 |
Title: Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-08-25 |
Description: This security update resolves two privately reported vulnerabilities in a Microsoft Windows component, the Embedded OpenType (EOT) Font Engine. The vulnerabilities could allow remote code execution. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system remotely. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-0231 CVE-2009-0232 |
Included Updates: 961371 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-042 |
Title: Vulnerability in Telnet Could Allow Remote Code Execution (960859) |
Update Type: Security Update |
Severity: Important |
Date: 2009-08-11 |
Description: This security update resolves a publicly disclosed vulnerability in the Microsoft Telnet service. The vulnerability could allow an attacker to obtain credentials and then use them to log back into affected systems. The attacker would then acquire user rights on a system identical to the user rights of the logged-on user. This scenario could ultimately result in remote code execution on affected systems. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-1930 |
Included Updates: 960859 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-041 |
Title: Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657) |
Update Type: Security Update |
Severity: Important |
Date: 2009-08-11 |
Description: This security update resolves a privately reported vulnerability in the Windows Workstation Service. The vulnerability could allow elevation of privilege if an attacker created a specially crafted RPC message and sent the message to an affected system. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials to a vulnerable system in order to exploit this vulnerability. The vulnerability could not be exploited by anonymous users. | ||||
Vulnerabilities: CVE-2009-1544 |
Included Updates: 971657 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-040 |
Title: Vulnerability in Message Queuing Could Allow Elevation of Privilege (971032) |
Update Type: Security Update |
Severity: Important |
Date: 2009-08-11 |
Description: This security update resolves a privately reported vulnerability in the Windows Message Queuing Service (MSMQ). The vulnerability could allow elevation of privilege if a user received a specially crafted request to an affected MSMQ service. By default, the Message Queuing component is not installed on any affected operating system edition and can only be enabled by a user with administrative privileges. Only customers who manually install the Message Queuing component are likely to be vulnerable to this issue. | ||||
Vulnerabilities: CVE-2009-1922 |
Included Updates: 971032 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-039 |
Title: Vulnerabilities in WINS Could Allow Remote Code Execution (969883) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-08-11 |
Description: This security update resolves two privately reported vulnerabilities in the Windows Internet Name Service (WINS). Either vulnerability could allow remote code execution if a user received a specially crafted WINS replication packet on an affected system running the WINS service. By default, WINS is not installed on any affected operating system version. Only customers who manually install this component are affected by this issue. | ||||
Vulnerabilities: CVE-2009-1923 CVE-2009-1924 |
Included Updates: 969883 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition |
Bulletin ID: MS09-038 |
Title: Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (971557) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-08-11 |
Description: This security update resolves two privately reported vulnerabilities in Windows Media file processing. Either vulnerability could allow remote code execution if a user opened a specially crafted AVI file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-1545 CVE-2009-1546 |
Included Updates: 971557 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-035 |
Title: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706) |
Update Type: Security Update |
Severity: Moderate |
Date: 2009-08-03 |
Description: This security update addresses several privately reported vulnerabilities in the public versions of the Microsoft Active Template Library (ATL) included with Visual Studio. This security update is specifically intended for developers of components and controls. Developers who build and redistribute components and controls using ATL should install the update provided in this bulletin and follow the guidance provided to create, and distribute to their customers, components and controls that are not vulnerable to the vulnerabilities described in this security bulletin. | ||||
Vulnerabilities: CVE-2009-0901 CVE-2009-2493 CVE-2009-2495 |
Included Updates: 969706 971090 971091 971092 973673 973674 973675 973830 973923 973924 |
Applies to: Visual Studio 2005 Visual Studio 2008 |
Bulletin ID: MS09-031 |
Title: Vulnerability in Microsoft ISA Server 2006 Could Cause Elevation of Privilege (970953) |
Update Type: Security Update |
Severity: Important |
Date: 2009-07-14 |
Description: This security update resolves a privately reported vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2006. The vulnerability could allow elevation of privilege if an attacker successfully impersonates an administrative user account for an ISA server that is configured for Radius One Time Password (OTP) authentication and authentication delegation with Kerberos Constrained Delegation. | ||||
Vulnerabilities: CVE-2009-1135 |
Included Updates: 970811 970953 971143 |
Applies to: Acceleration Server 2006 Internet Security |
Bulletin ID: MS09-030 |
Title: Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (969516) |
Update Type: Security Update |
Severity: Important |
Date: 2009-07-14 |
Description: This security update resolves a privately reported vulnerability in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-0566 |
Included Updates: 969516 969693 |
Applies to: Office 2007 |
Bulletin ID: MS09-028 |
Title: Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-07-14 |
Description: This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft DirectShow. The vulnerabilities could allow remote code execution if a user opened a specially crafted QuickTime media file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-1537 CVE-2009-1538 CVE-2009-1539 |
Included Updates: 971633 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-027 |
Title: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-07-14 |
Description: This security update resolves two privately reported vulnerabilities that could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited either vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
Vulnerabilities: CVE-2009-0563 CVE-2009-0565 |
Included Updates: 969514 969602 969603 969604 969613 969614 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS09-026 |
Title: Vulnerability in RPC Could Allow Elevation of Privilege (970238) |
Update Type: Security Update |
Severity: Important |
Date: 2009-06-09 |
Description: This security update resolves a publicly disclosed vulnerability in the Windows remote procedure call (RPC) facility where the RPC Marshalling Engine does not update its internal state appropriately. The vulnerability could allow an attacker to execute arbitrary code and take complete control of an affected system. Supported editions of Microsoft Windows are not delivered with any RPC servers or clients that are subject to exploitation of this vulnerability. In a default configuration, users could not be attacked by exploitation of this vulnerability. However, the vulnerability is present in the Microsoft Windows RPC runtime and could affect third-party RPC applications. | ||||
Vulnerabilities: CVE-2009-0568 |
Included Updates: 970238 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-025 |
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537) |
Update Type: Security Update |
Severity: Important |
Date: 2009-06-09 |
Description: This security update resolves two publicly disclosed and two privately reported vulnerabilities in the Windows kernel that could allow elevation of privilege. An attacker who successfully exploited any of these vulnerabilities could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2009-1123 CVE-2009-1124 CVE-2009-1125 CVE-2009-1126 |
Included Updates: 968537 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-024 |
Title: Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-06-09 |
Description: This security update resolves a privately reported vulnerability in the Microsoft Works converters. The vulnerability could allow remote code execution if a user opens a specially crafted Works file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-1533 |
Included Updates: 957632 957646 967043 967044 968326 969559 |
Applies to: Microsoft Works 8 Microsoft Works 9 Office 2002/XP Office 2007 Works 6-9 Converter |
Bulletin ID: MS09-023 |
Title: Vulnerability in Windows Search Could Allow Information Disclosure (963093) |
Update Type: Security Update |
Severity: Moderate |
Date: 2009-06-09 |
Description: This security update resolves a privately reported vulnerability in Windows Search. The vulnerability could allow information disclosure if a user performs a search that returns a specially crafted file as the first result or if the user previews a specially crafted file from the search results. By default, the Windows Search component is not preinstalled on Microsoft Windows XP and Windows Server 2003. It is an optional component available for download. Windows Search installed on supported editions of Windows Vista and Windows Server 2008 is not affected by this vulnerability. | ||||
Vulnerabilities: CVE-2009-0239 |
Included Updates: 963093 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-022 |
Title: Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-06-09 |
Description: This security update resolves three privately reported vulnerabilities in Windows Print Spooler. The most severe vulnerability could allow remote code execution if an affected server received a specially crafted RPC request. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. | ||||
Vulnerabilities: CVE-2009-0228 CVE-2009-0229 CVE-2009-0230 |
Included Updates: 961501 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-021 |
Title: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-06-09 |
Description: This security update resolves several privately reported vulnerabilities that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
Vulnerabilities: CVE-2009-0549 CVE-2009-0557 CVE-2009-0558 CVE-2009-0559 CVE-2009-0560 CVE-2009-0561 CVE-2009-1134 |
Included Updates: 969462 969679 969680 969681 969682 969685 969686 969737 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS09-020 |
Title: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) |
Update Type: Security Update |
Severity: Important |
Date: 2009-06-09 |
Description: This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Internet Information Services (IIS). The vulnerabilities could allow elevation of privilege if an attacker sent a specially crafted HTTP request to a Web site that requires authentication. These vulnerabilities allow an attacker to bypass the IIS configuration that specifies which type of authentication is allowed, but not the file system-based access control list (ACL) check that verifies whether a file is accessible by a given user. Successful exploitation of these vulnerabilities would still restrict the attacker to the permissions granted to the anonymous user account by the file system ACLs. | ||||
Vulnerabilities: CVE-2009-1122 CVE-2009-1535 |
Included Updates: 970483 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-018 |
Title: Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-06-09 |
Description: This security update resolves two privately reported vulnerabilities in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003. The more severe vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. | ||||
Vulnerabilities: CVE-2009-1138 CVE-2009-1139 |
Included Updates: 969805 970437 971055 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-003 |
Title: Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-05-26 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Exchange Server. The first vulnerability could allow remote code execution if a specially crafted TNEF message is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges. The second vulnerability could allow denial of service if a specially crafted MAPI command is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding. | ||||
Vulnerabilities: CVE-2009-0098 CVE-2009-0099 |
Included Updates: 959239 959241 959897 |
Applies to: Exchange 2000 Server Exchange Server 2003 Exchange Server 2007 |
Bulletin ID: MS07-026 |
Title: Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-05-26 |
Description: This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CVE-2007-0039 CVE-2007-0213 CVE-2007-0220 CVE-2007-0221 |
Included Updates: 931832 935490 |
Applies to: Exchange 2000 Server Exchange Server 2003 Exchange Server 2007 |
Bulletin ID: MS09-017 |
Title: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (967340) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-05-12 |
Description: This security update resolves a publicly disclosed vulnerability and several privately reported vulnerabilities in Microsoft Office PowerPoint that could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-0220 CVE-2009-0221 CVE-2009-0222 CVE-2009-0223 CVE-2009-0224 CVE-2009-0225 CVE-2009-0226 CVE-2009-0227 CVE-2009-0556 CVE-2009-1128 CVE-2009-1129 CVE-2009-1130 CVE-2009-1131 CVE-2009-1137 |
Included Updates: 957781 957784 957789 967340 969615 969618 970059 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS09-008 |
Title: Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238) |
Update Type: Security Update |
Severity: Important |
Date: 2009-05-12 |
Description: This security update resolves two privately reported vulnerabilities and two publicly disclosed vulnerabilities in Windows DNS server and Windows WINS server. These vulnerabilities could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker’s own systems. | ||||
Vulnerabilities: CVE-2009-0093 CVE-2009-0094 CVE-2009-0233 CVE-2009-0234 |
Included Updates: 961063 961064 962238 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 |
Bulletin ID: MS07-040 |
Title: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (931212) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-05-07 |
Description: This update resolves three privately reported vulnerabilities. Two of these vulnerabilities could allow remote code execution on client systems with .NET Framework installed, and one could allow information disclosure on Web servers running ASP.NET. In all remote code execution cases, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2006-7192 CVE-2007-0041 CVE-2007-0042 CVE-2007-0043 |
Included Updates: 928365 928366 928367 929729 929916 930494 931212 933854 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-012 |
Title: Vulnerabilities in Windows Could Allow Elevation of Privilege (959454) |
Update Type: Security Update |
Severity: Important |
Date: 2009-04-29 |
Description: This security update resolves four publicly disclosed vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker is allowed to log on to the system and then run a specially crafted application. The attacker must be able to run code on the local machine in order to exploit this vulnerability. An attacker who successfully exploited any of these vulnerabilities could take complete control over the affected system. | ||||
Vulnerabilities: CVE-2008-1436 CVE-2009-0078 CVE-2009-0079 CVE-2009-0080 |
Included Updates: 952004 956572 959454 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-016 |
Title: Vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) Could Cause Denial of Service (961759) |
Update Type: Security Update |
Severity: Important |
Date: 2009-04-14 |
Description: This security update resolves a privately reported vulnerability and a publicly disclosed vulnerability in Microsoft Internet Security and Acceleration (ISA) Server and Microsoft Forefront Threat Management Gateway (TMG), Medium Business Edition (MBE). These vulnerabilities could allow denial of service if an attacker sends specially crafted network packets to the affected system, or information disclosure or spoofing if a user clicks on a malicious URL or visits a Web site that contains content controlled by the attacker. | ||||
Vulnerabilities: CVE-2009-0077 CVE-2009-0237 |
Included Updates: 960995 961759 968075 968078 |
Applies to: Acceleration Server 2004 Acceleration Server 2006 Forefront TMG MBE Internet Security |
Bulletin ID: MS09-015 |
Title: Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426) |
Update Type: Security Update |
Severity: Moderate |
Date: 2009-04-14 |
Description: This security update resolves a publicly disclosed vulnerability in the Windows SearchPath function that could allow elevation of privilege if a user downloaded a specially crafted file to a specific location, then opened an application that could load the file under certain circumstances. | ||||
Vulnerabilities: CVE-2008-2540 |
Included Updates: 959426 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-013 |
Title: Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution (960803) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-04-14 |
Description: This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Windows HTTP Services (WinHTTP). The most severe vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-0086 CVE-2009-0089 CVE-2009-0550 |
Included Updates: 960803 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-011 |
Title: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (961373) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-04-14 |
Description: This security update resolves a privately reported vulnerability in Microsoft DirectX. The vulnerability could allow remote code execution if user opened a specially crafted MJPEG file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-0084 |
Included Updates: 961373 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-010 |
Title: Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-04-14 |
Description: This security update resolves two publicly disclosed vulnerabilities and two privately reported vulnerabilities in Microsoft WordPad and Microsoft Office text converters. The vulnerabilities could allow remote code execution if a specially crafted file is opened in WordPad or Microsoft Office Word. Do not open Microsoft Office, RTF, Write, or WordPerfect files from untrusted sources using affected versions of WordPad or Microsoft Office Word. | ||||
Vulnerabilities: CVE-2008-4841 CVE-2009-0087 CVE-2009-0088 CVE-2009-0235 |
Included Updates: 923561 933399 960476 960477 |
Applies to: Office 2002/XP Office 2003 Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-009 |
Title: Vulnerabilities in Microsoft Office Excel Could Cause Remote Code Execution (968557) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-04-14 |
Description: This security update resolves a privately reported vulnerability and a publicly disclosed vulnerability in Microsoft Office Excel. The vulnerabilities could allow remote code execution if the user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-0100 CVE-2009-0238 |
Included Updates: 959988 959993 959995 959997 960000 960003 968557 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS07-055 |
Title: Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (923810) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-03-24 |
Description: This critical security update resolves a privately reported vulnerability. A remote code execution vulnerability exists in the way that the Kodak Image Viewer, formerly known as Wang Image Viewer, handles specially crafted images files. The vulnerability could allow an attacker to remotely execute code on the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2007-2217 |
Included Updates: 923810 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS09-007 |
Title: Vulnerability in SChannel Could Allow Spoofing (960225) |
Update Type: Security Update |
Severity: Important |
Date: 2009-03-10 |
Description: This security update resolves a privately reported vulnerability in the Secure Channel (SChannel) security package in Windows. The vulnerability could allow spoofing if an attacker gains access to the certificate used by the end user for authentication. Customers are only affected when the public key component of the certificate used for authentication has been obtained by the attacker through other means. | ||||
Vulnerabilities: CVE-2009-0085 |
Included Updates: 960225 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS09-006 |
Title: Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-03-10 |
Description: This security update resolves several privately reported vulnerabilities in the Windows kernel. The most serious vulnerability could allow remote code execution if a user viewed a specially crafted EMF or WMF image file from an affected system. | ||||
Vulnerabilities: CVE-2009-0081 CVE-2009-0082 CVE-2009-0083 |
Included Updates: 958690 |
Applies to: Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-072 |
Title: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-03-10 |
Description: This security update resolves eight privately reported vulnerabilities in Microsoft Office Word and Microsoft Office Outlook that could allow remote code execution if a user opens a specially crafted Word or Rich Text Format (RTF) file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-4024 CVE-2008-4025 CVE-2008-4026 CVE-2008-4027 CVE-2008-4028 CVE-2008-4030 CVE-2008-4031 CVE-2008-4837 |
Included Updates: 956329 956357 956358 956366 956828 957173 959487 |
Applies to: Microsoft Works 8 Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS09-005 |
Title: Vulnerabilities in Microsoft Office Visio Could Allow Remote Code Execution (957634) |
Update Type: Security Update |
Severity: Important |
Date: 2009-02-10 |
Description: This security update resolves three privately reported vulnerabilities in Microsoft Office Visio that could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2009-0095 CVE-2009-0096 CVE-2009-0097 |
Included Updates: 955654 955655 957634 957831 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS09-004 |
Title: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) |
Update Type: Security Update |
Severity: Important |
Date: 2009-02-10 |
Description: This security update resolves a privately reported vulnerability in Microsoft SQL Server. The vulnerability could allow remote code execution if untrusted users access an affected system or if a SQL injection attack occurs to an affected system. Systems with SQL Server 7.0 Service Pack 4, SQL Server 2005 Service Pack 3, and SQL Server 2008 are not affected by this issue. | ||||
Vulnerabilities: CVE-2008-5416 |
Included Updates: 959420 960082 960083 960089 960090 |
Applies to: SQL Server 2000 SQL Server 2005 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 |
Bulletin ID: MS09-001 |
Title: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) |
Update Type: Security Update |
Severity: Critical |
Date: 2009-01-13 |
Description: This security update resolves two privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerabilities could allow remote code execution on affected systems. An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. | ||||
Vulnerabilities: CVE-2008-4114 CVE-2008-4834 CVE-2008-4835 |
Included Updates: 958687 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-066 |
Title: Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803) |
Update Type: Security Update |
Severity: Important |
Date: 2009-01-13 |
Description: This security update resolves a privately reported vulnerability in the Microsoft Ancillary Function Driver. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
Vulnerabilities: CVE-2008-3464 |
Included Updates: 956803 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-077 |
Title: Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175) |
Update Type: Security Update |
Severity: Important |
Date: 2008-12-09 |
Description: This security update resolves a privately reported vulnerability. The vulnerability could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack leading to elevation of privilege could result in denial of service or information disclosure. | ||||
Vulnerabilities: CVE-2008-4032 |
Included Updates: 956716 957175 |
Applies to: Office 2007 |
Bulletin ID: MS08-075 |
Title: Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-12-09 |
Description: This security update resolves two privately reported vulnerabilities in Windows Search. These vulnerabilities could allow remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-4268 CVE-2008-4269 |
Included Updates: 958623 958624 959349 |
Applies to: Windows Server 2008 Windows Vista |
Bulletin ID: MS08-074 |
Title: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-12-09 |
Description: This security update resolves three privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-4264 CVE-2008-4265 CVE-2008-4266 |
Included Updates: 958372 958434 958436 958437 958439 958442 959070 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS08-071 |
Title: Vulnerabilities in GDI Could Allow Remote Code Execution (956802) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-12-09 |
Description: This security update resolves two privately reported vulnerabilities in GDI. Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-2249 CVE-2008-3465 |
Included Updates: 956802 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-017 |
Title: Vulnerabilities in GDI Could Allow Remote Code Execution (925902) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-12-09 |
Description: This update resolves several newly discovered, publicly disclosed and privately reported vulnerabilities as well as additional issues discovered through internal investigations. Each vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CVE-2006-5586 CVE-2006-5758 CVE-2007-0038 CVE-2007-1211 CVE-2007-1212 CVE-2007-1213 CVE-2007-1215 |
Included Updates: 925902 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS05-053 |
Title: Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-12-09 |
Description: This update resolves several newly-discovered, privately reported and public vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CAN-2005-0803 CAN-2005-2123 CAN-2005-2124 |
Included Updates: 896424 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-005 |
Title: Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (923723) |
Update Type: Security Update |
Severity: Important |
Date: 2008-11-25 |
Description: This update resolves a newly discovered, privately reported vulnerability. The Step-by-Step Interactive Training has a remote code execution vulnerability that could allow an attacker to take complete control of an affected system. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-3448 |
Included Updates: 923723 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-068 |
Title: Vulnerability in SMB Could Allow Remote Code Execution (957097) |
Update Type: Security Update |
Severity: Important |
Date: 2008-11-11 |
Description: This security update resolves a publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on affected systems. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-4037 |
Included Updates: 957097 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-065 |
Title: Vulnerability in Message Queuing Could Allow Remote Code Execution (951071) |
Update Type: Security Update |
Severity: Important |
Date: 2008-11-11 |
Description: This security update resolves a privately reported vulnerability in the Message Queuing Service (MSMQ) on Microsoft Windows 2000 systems. The vulnerability could allow remote code execution on Microsoft Windows 2000 systems with the MSMQ service enabled. | ||||
Vulnerabilities: CVE-2008-3479 |
Included Updates: 951071 |
Applies to: Windows 2000 |
Bulletin ID: MS08-040 |
Title: Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203) |
Update Type: Security Update |
Severity: Important |
Date: 2008-11-11 |
Description: This security update resolves four privately disclosed vulnerabilities. The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. | ||||
Vulnerabilities: CVE-2008-0085 CVE-2008-0086 CVE-2008-0106 CVE-2008-0107 |
Included Updates: 941203 948108 948109 948110 948111 |
Applies to: SQL Server 2000 SQL Server 2005 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 |
Bulletin ID: MS08-062 |
Title: Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155) |
Update Type: Security Update |
Severity: Important |
Date: 2008-10-28 |
Description: This update resolves a privately reported vulnerability in the Windows Internet Printing Service that could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. | ||||
Vulnerabilities: CVE-2008-1446 |
Included Updates: 953155 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-067 |
Title: Vulnerability in Server Service Could Allow Remote Code Execution (958644) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-10-23 |
Description: This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter. | ||||
Vulnerabilities: CVE-2008-4250 |
Included Updates: 958644 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-064 |
Title: Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841) |
Update Type: Security Update |
Severity: Important |
Date: 2008-10-14 |
Description: This security update resolves a privately reported vulnerability in Virtual Address Descriptor. The vulnerability could allow elevation of privilege if a user runs a specially crafted application. An authenticated attacker who successfully exploited this vulnerability could gain elevation of privilege on an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. | ||||
Vulnerabilities: CVE-2008-4036 |
Included Updates: 956841 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-063 |
Title: Vulnerability in SMB Could Allow Remote Code Execution (957095) |
Update Type: Security Update |
Severity: Important |
Date: 2008-10-14 |
Description: This security update resolves a privately reported vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on a server that is sharing files or folders. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
Vulnerabilities: CVE-2008-4038 |
Included Updates: 957095 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-061 |
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211) |
Update Type: Security Update |
Severity: Important |
Date: 2008-10-14 |
Description: This security update resolves one publicly disclosed and two privately reported vulnerabilities in the Windows kernel. A local attacker who successfully exploited these vulnerabilities could take complete control of an affected system. The vulnerabilities could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2008-2250 CVE-2008-2251 CVE-2008-2252 |
Included Updates: 954211 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-060 |
Title: Vulnerability in Active Directory Could Allow Remote Code Execution (957280) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-10-14 |
Description: This security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server. The vulnerability could allow remote code execution if an attacker gains access to an affected network. This vulnerability only affects Microsoft Windows 2000 servers configured to be domain controllers. If a Microsoft Windows 2000 server has not been promoted to a domain controller, it will not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) queries, and will not be exposed to this vulnerability. | ||||
Vulnerabilities: CVE-2008-4023 |
Included Updates: 957280 |
Applies to: Windows 2000 |
Bulletin ID: MS08-059 |
Title: Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-10-14 |
Description: This security update resolves a privately reported vulnerability in Microsoft Host Integration Server. The vulnerability could allow remote code execution if an attacker sent a specially crafted Remote Procedure Call (RPC) request to an affected system. Customers who follow best practices and configure the SNA RPC service account to have fewer user rights on the system could be less impacted than customers who configure the SNA RPC service account to have administrative user rights. | ||||
Vulnerabilities: |
Included Updates: 956695 |
Applies to: Host Integration Server 2000 Host Integration Server 2004 Host Integration Server 2006 |
Bulletin ID: MS08-057 |
Title: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-10-14 |
Description: This security update resolves three privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-3471 CVE-2008-3477 CVE-2008-4019 |
Included Updates: 955464 955466 955468 955470 955935 955936 955937 956416 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS08-056 |
Title: Vulnerability in Microsoft Office Could Allow Information Disclosure (957699) |
Update Type: Security Update |
Severity: Moderate |
Date: 2008-10-14 |
Description: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow information disclosure if a user clicks a specially crafted CDO URL. An attacker who successfully exploited this vulnerability could inject a client side script in the user's browser that could spoof content, disclose information, or take any action that the user could take on the affected Web site. | ||||
Vulnerabilities: CVE-2008-4020 |
Included Updates: 956464 957699 |
Applies to: Office 2002/XP |
Bulletin ID: MS08-054 |
Title: Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-09-13 |
Description: This security update resolves a privately reported vulnerability in Windows Media Player that could allow remote code execution when a specially crafted audio file is streamed from a Windows Media server. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-2253 |
Included Updates: 954154 |
Applies to: Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-053 |
Title: Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-09-13 |
Description: This security update resolves a privately reported vulnerability in Windows Media Encoder 9 Series. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-3008 |
Included Updates: 954156 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-052 |
Title: Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-09-09 |
Description: This security update resolves several privately reported vulnerabilities in Microsoft Windows GDI+. These vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using affected software or browsed a Web site that contains specially crafted content. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2007-5348 CVE-2008-3012 CVE-2008-3013 CVE-2008-3014 CVE-2008-3015 |
Included Updates: 938464 947738 947739 947742 947746 947748 952241 953405 954326 954478 954479 954593 954606 954607 954609 956483 956500 957177 |
Applies to: Forefront Client Security Microsoft Works 8 Office 2002/XP Office 2003 Office 2007 SQL Server 2000 SQL Server 2005 Visual Studio 2005 Visual Studio 2008 Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-051 |
Title: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (949785) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-08-12 |
Description: This security update resolves three privately reported vulnerabilities in Microsoft Office PowerPoint and Microsoft Office PowerPoint Viewer that could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-0120 CVE-2008-0121 CVE-2008-1455 |
Included Updates: 948988 948995 949041 949785 951338 954038 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS08-050 |
Title: Vulnerability in Windows Messenger Could Allow Information Disclosure (955702) |
Update Type: Security Update |
Severity: Important |
Date: 2008-08-12 |
Description: This security update resolves a publicly reported vulnerability in supported versions of Windows Messenger. As a result of this vulnerability, scripting of an ActiveX control could allow information disclosure in the context of the logged-on user. An attacker could change state, get contact information, and initiate audio and video chat sessions without the knowledge of the logged-on user. An attacker could also capture the user’s logon ID and remotely log on to the user’s Messenger client impersonating that user. | ||||
Vulnerabilities: CVE-2008-0082 |
Included Updates: 946648 955702 |
Applies to: Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-049 |
Title: Vulnerabilities in Event System Could Allow Remote Code Execution (950974) |
Update Type: Security Update |
Severity: Important |
Date: 2008-08-12 |
Description: This update resolves two privately reported vulnerabilities in Microsoft Windows Event System that could allow remote code execution. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. | ||||
Vulnerabilities: CVE-2008-1456 CVE-2008-1457 |
Included Updates: 950974 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-048 |
Title: Security Update for Outlook Express and Windows Mail (951066) |
Update Type: Security Update |
Severity: Important |
Date: 2008-08-12 |
Description: This security update resolves a privately reported vulnerability in Outlook Express and Windows Mail. The vulnerability could allow information disclosure if a user visits a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-1448 |
Included Updates: 951066 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-047 |
Title: Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733) |
Update Type: Security Update |
Severity: Important |
Date: 2008-08-12 |
Description: This update resolves a privately reported vulnerability in the way certain Windows Internet Protocol Security (IPsec) rules are applied. This vulnerability could cause systems to ignore IPsec policies and transmit network traffic in clear text. This, in turn, would disclose information intended to be encrypted on the network. An attacker viewing the traffic on the network would be able to view and possibly modify the contents of the traffic. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly. It could be used to collect useful information to try to further compromise the affected system or network. | ||||
Vulnerabilities: CVE-2008-2246 |
Included Updates: 953733 |
Applies to: Windows Server 2008 Windows Vista |
Bulletin ID: MS08-046 |
Title: Vulnerability in Microsoft Windows Image Color Management System Could Allow Remote Code Execution (952954) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-08-12 |
Description: This update resolves a privately reported vulnerability in the Microsoft Image Color Management (ICM) system that could allow remote code execution in the context of the current user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-2245 |
Included Updates: 952954 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-044 |
Title: Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (924090) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-08-12 |
Description: This security update resolves five privately reported vulnerabilities. These vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using Microsoft Office. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-3018 CVE-2008-3019 CVE-2008-3020 CVE-2008-3021 CVE-2008-3460 |
Included Updates: 921596 921598 924090 925256 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS08-043 |
Title: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (954066) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-08-12 |
Description: This security update resolves four privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-3003 CVE-2008-3004 CVE-2008-3005 CVE-2008-3006 |
Included Updates: 951546 951548 951551 951589 951596 953397 954066 955472 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS08-042 |
Title: Vulnerability in Microsoft Word Could Allow Remote Code Execution (955048) |
Update Type: Security Update |
Severity: Important |
Date: 2008-08-12 |
Description: This security update resolves a publicly reported vulnerability in Microsoft Word. This vulnerability could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-2244 |
Included Updates: 954463 954464 955048 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS08-041 |
Title: Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-08-12 |
Description: This security update resolves a privately reported vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. | ||||
Vulnerabilities: CVE-2008-2463 |
Included Updates: 955439 955440 955617 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS08-033 |
Title: Vulnerabilities in DirectX Could Allow Remote Code Execution (951698) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-08-12 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft DirectX that could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-0011 CVE-2008-1444 |
Included Updates: 951698 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-022 |
Title: Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-08-12 |
Description: This security update resolves a privately reported vulnerability in the VBScript and JScript scripting engines in Windows. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
Vulnerabilities: CVE-2008-0083 |
Included Updates: 944338 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-047 |
Title: Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782) |
Update Type: Security Update |
Severity: Important |
Date: 2008-08-12 |
Description: This important security update resolves two privately reported vulnerabilities. These vulnerabilities could allow code execution if a user viewed a specially crafted file in Windows Media Player. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2007-3035 CVE-2007-3037 |
Included Updates: 936782 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-039 |
Title: Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747) |
Update Type: Security Update |
Severity: Important |
Date: 2008-07-08 |
Description: This security update resolves two privately reported vulnerabilities in Outlook Web Access (OWA) for Microsoft Exchange Server. An attacker who successfully exploited these vulnerabilities could gain access to an individual OWA client’s session data, allowing elevation of privilege. The attacker could then perform any action the user could perform from within the individual client’s OWA session. | ||||
Vulnerabilities: CVE-2008-2247 CVE-2008-2248 |
Included Updates: 949870 950159 953469 953747 |
Applies to: Exchange Server 2003 Exchange Server 2007 |
Bulletin ID: MS08-038 |
Title: Vulnerability in Windows Explorer Could Allow Remote Code Execution (950582) |
Update Type: Security Update |
Severity: Important |
Date: 2008-07-08 |
Description: This security update resolves a publicly reported vulnerability in Windows Explorer that could allow remote code execution when a specially crafted saved-search file is opened and saved. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-0951 CVE-2008-1435 |
Included Updates: 950582 |
Applies to: Windows Server 2008 Windows Vista |
Bulletin ID: MS08-030 |
Title: Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (951376) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-06-18 |
Description: This security update resolves a privately reported vulnerability in the Bluetooth stack in Windows that could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
Vulnerabilities: CVE-2008-1453 |
Included Updates: 951376 |
Applies to: Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-036 |
Title: Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762) |
Update Type: Security Update |
Severity: Important |
Date: 2008-06-10 |
Description: This security update resolves two privately reported vulnerabilities in the Pragmatic General Multicast (PGM) protocol that could allow a denial of service if malformed PGM packets are received by an affected system. An attacker who successfully exploited this vulnerability could cause a user’s system to become non-responsive and to require a restart to restore functionality. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests. | ||||
Vulnerabilities: CVE-2008-1440 CVE-2008-1441 |
Included Updates: 950762 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-035 |
Title: Vulnerability in Active Directory Could Allow Denial of Service (953235) |
Update Type: Security Update |
Severity: Important |
Date: 2008-06-10 |
Description: This security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server, Windows Server 2003, and Windows Server 2008; Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003; and Active Directory Lightweight Directory Service (AD LDS) when installed on Windows Server 2008. The vulnerability could be exploited to allow an attacker to cause a denial of service condition. On Windows XP Professional, Windows Server 2003, and Windows Server 2008, an attacker must have valid logon credentials to exploit this vulnerability. An attacker who successfully exploited this vulnerability could cause the system to stop responding or automatically restart. | ||||
Vulnerabilities: CVE-2008-1445 |
Included Updates: 949014 949269 953235 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-034 |
Title: Vulnerability in WINS Could Allow Elevation of Privilege (948745) |
Update Type: Security Update |
Severity: Important |
Date: 2008-06-10 |
Description: This security update resolves a privately reported vulnerability in the Windows Internet Name Service (WINS) that could allow elevation of privilege. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. | ||||
Vulnerabilities: CVE-2008-1451 |
Included Updates: 948745 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition |
Bulletin ID: MS07-068 |
Title: Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-06-10 |
Description: This critical security update resolves a privately reported vulnerability in Windows Media File Format. This vulnerability could allow remote code execution if a user viewed a specially crafted file in Windows Media Format Runtime. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2007-0064 |
Included Updates: 941569 944275 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-078 |
Title: Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-06-10 |
Description: This update resolves two newly discovered vulnerabilities. These vulnerabilities are documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-4702 CVE-2006-6134 |
Included Updates: 923689 925398 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-028 |
Title: Vulnerability in Microsoft Jet Database Engine Could Allow Remote Code Execution (950749) |
Update Type: Security Update |
Severity: Important |
Date: 2008-05-13 |
Description: This security update resolves a security vulnerability in the Microsoft Jet Database Engine (Jet) in Windows. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2005-0944 CVE-2007-6026 |
Included Updates: 950749 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-027 |
Title: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (951208) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-05-13 |
Description: This security update resolves a privately reported vulnerability in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-0119 |
Included Updates: 950114 950129 950213 951208 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS08-026 |
Title: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (951207) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-05-13 |
Description: This security update resolves several privately reported vulnerabilities in Microsoft Word that could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-1091 CVE-2008-1434 |
Included Updates: 950113 950241 950243 950625 951207 951808 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS06-069 |
Title: Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (923789) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-05-13 |
Description: This update resolves privately reported vulnerabilities in Macromedia Flash Player from Adobe, version 6.0.84.0 and earlier. Macromedia Flash Player is a third party software application that also was redistributed with Microsoft Windows XP Service Pack 2, Microsoft Windows XP Service Pack 3, and Microsoft Windows XP Professional x64 Edition. Each vulnerability is documented in the "Vulnerability Details" section of this bulletin. The Adobe Security Bulletin APSB06-11, issued September 12, 2006, describes the vulnerabilities and provides the download locations for customers who have installed Flash Player 7 and higher so that you can install the appropriate update based on the version of Flash Player you are using. Customers that have followed the guidance in the Adobe Security Bulletin are not at risk from these vulnerabilities. | ||||
Vulnerabilities: CVE-2006-3014 CVE-2006-3311 CVE-2006-3587 CVE-2006-3588 CVE-2006-4640 |
Included Updates: 923789 |
Applies to: Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-019 |
Title: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (949032) |
Update Type: Security Update |
Severity: Important |
Date: 2008-04-15 |
Description: This security update resolves privately reported vulnerabilities in Microsoft Visio that could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-1089 CVE-2008-1090 |
Included Updates: 947590 947650 947896 949032 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS08-025 |
Title: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (941693) |
Update Type: Security Update |
Severity: Important |
Date: 2008-04-08 |
Description: This security update resolves a privately reported vulnerability in the Windows kernel. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. | ||||
Vulnerabilities: CVE-2008-1084 |
Included Updates: 941693 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-021 |
Title: Vulnerabilities in GDI Could Allow Remote Code Execution (948590) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-04-08 |
Description: This security update resolves two privately reported vulnerabilities in GDI. Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted EMF or WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
Vulnerabilities: CVE-2008-1083 CVE-2008-1087 |
Included Updates: 948590 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-020 |
Title: Vulnerability in DNS Client Could Allow Spoofing (945553) |
Update Type: Security Update |
Severity: Important |
Date: 2008-04-08 |
Description: This security update resolves a privately reported vulnerability. This spoofing vulnerability exists in Windows DNS clients and could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations. | ||||
Vulnerabilities: CVE-2008-0087 |
Included Updates: 945553 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-018 |
Title: Vulnerability in Microsoft Project Could Allow Remote Code Execution (950183) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-04-08 |
Description: This security update resolves a privately reported vulnerability in Microsoft Project that could allow remote code execution if a user opens a specially crafted Project file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-1088 |
Included Updates: 948962 949005 950183 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS08-014 |
Title: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-03-19 |
Description: This security update resolves several privately reported and publicly reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-0081 CVE-2008-0111 CVE-2008-0112 CVE-2008-0114 CVE-2008-0115 CVE-2008-0116 CVE-2008-0117 |
Included Updates: 943889 943985 946974 946976 947801 949029 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS08-017 |
Title: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-03-11 |
Description: This critical update resolves two privately reported vulnerabilities in Microsoft Office Web Components. These vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2006-4695 CVE-2007-1201 |
Included Updates: 932031 933103 |
Applies to: Office 2002/XP |
Bulletin ID: MS08-016 |
Title: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-03-11 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a malformed Office file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-0113 CVE-2008-0118 |
Included Updates: 947355 947866 949030 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS08-015 |
Title: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (949031) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-03-11 |
Description: This security update resolves a privately reported vulnerability in Microsoft Office Outlook. The vulnerability could allow remote code execution if Outlook is passed a specially crafted mailto URI. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This vulnerability is not exploitable by simply viewing an e-mail through the Outlook preview pane. | ||||
Vulnerabilities: CVE-2008-0110 |
Included Updates: 945432 946983 946985 949031 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS08-013 |
Title: Vulnerability in Microsoft Office Could Allow Remote Code Execution (947108) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-02-12 |
Description: This critical security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file with a malformed object inserted into the document. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-0103 |
Included Updates: 944423 945185 947108 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS08-012 |
Title: Vulnerabilities in Microsoft Office Publisher Could Allow Remote Code Execution (947085) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-02-12 |
Description: This critical security update resolves two privately reported vulnerabilities in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-0102 CVE-2008-0104 |
Included Updates: 946216 946254 947085 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS08-011 |
Title: Vulnerabilities in Microsoft Works File Converter Could Allow Remote Code Execution (947081) |
Update Type: Security Update |
Severity: Important |
Date: 2008-02-12 |
Description: This important security update resolves three privately reported vulnerabilities in the Microsoft Works File Converter. These vulnerabilities could allow remote code execution if a user opens a specially crafted Works (.wps) file with an affected version of Microsoft Office, Microsoft Works, or Microsoft Works Suite. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
Vulnerabilities: CVE-2007-0216 CVE-2008-0105 CVE-2008-0108 |
Included Updates: 943973 947081 |
Applies to: Office 2003 |
Bulletin ID: MS08-009 |
Title: Vulnerability in Microsoft Word Could Allow Remote Code Execution (947077) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-02-12 |
Description: This critical security update resolves one privately reported vulnerability in Microsoft Word that could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-0109 |
Included Updates: 943957 943983 943992 947077 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS08-008 |
Title: Vulnerability in OLE Automation Could Allow Remote Code Execution (947890) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-02-12 |
Description: This critical security update resolves a privately reported vulnerability. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page. The vulnerability could be exploited through attacks on Object Linking and Embedding (OLE) Automation. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2007-0065 |
Included Updates: 943055 947890 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-007 |
Title: Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution (946026) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-02-12 |
Description: This critical security update resolves one privately reported vulnerability in the WebDAV Mini-Redirector. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
Vulnerabilities: CVE-2008-0080 |
Included Updates: 946026 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-006 |
Title: Vulnerability in Internet Information Services Could Allow Remote Code Execution (942830) |
Update Type: Security Update |
Severity: Important |
Date: 2008-02-12 |
Description: This important update resolves a privately reported vulnerability in Internet Information Services (IIS). A remote code execution vulnerability exists in the way that IIS handles input to ASP Web pages. An attacker who successfully exploited this vulnerability could then perform actions on the IIS server with the same rights as the Worker Process Identity (WPI). The WPI is configured with Network Service account privileges by default. IIS servers with ASP pages whose application pools are configured with a WPI that uses an account with administrative privileges could be more seriously impacted than IIS servers whose application pool is configured with the default WPI settings. | ||||
Vulnerabilities: CVE-2008-0075 |
Included Updates: 942830 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-005 |
Title: Vulnerability in Internet Information Services Could Allow Elevation of Privilege (942831) |
Update Type: Security Update |
Severity: Important |
Date: 2008-02-12 |
Description: This important update resolves a privately reported vulnerability in Internet Information Services (IIS). A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2008-0074 |
Included Updates: 942831 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-004 |
Title: Vulnerability in Windows TCP/IP Could Allow Denial of Service (946456) |
Update Type: Security Update |
Severity: Important |
Date: 2008-02-12 |
Description: This important update resolves a privately reported vulnerability in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart. | ||||
Vulnerabilities: CVE-2008-0084 |
Included Updates: 946456 |
Applies to: Windows Vista |
Bulletin ID: MS08-003 |
Title: Vulnerability in Active Directory Could Allow Denial of Service (946538) |
Update Type: Security Update |
Severity: Important |
Date: 2008-02-12 |
Description: This important security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003 and Active Directory Application Mode (ADAM) when installed on Windows XP and Windows Server 2003. The vulnerability could allow a denial of service condition. On Windows Server 2003 and Windows XP an attacker must have valid logon credentials to exploit this vulnerability. An attacker who successfully exploited this vulnerability could cause the system to stop responding or automatically restart. | ||||
Vulnerabilities: CVE-2008-0088 |
Included Updates: 931374 943484 946538 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-002 |
Title: Vulnerability in LSASS Could Allow Local Elevation of Privilege (943485) |
Update Type: Security Update |
Severity: Important |
Date: 2008-01-08 |
Description: This important update resolves a privately reported vulnerability in Microsoft Windows Local Security Authority Subsystem Service (LSASS). The vulnerability could allow an attacker to run arbitrary code with elevated privileges. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
Vulnerabilities: CVE-2007-5352 |
Included Updates: 943485 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS08-001 |
Title: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-01-08 |
Description: This critical security update resolves two privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
Vulnerabilities: CVE-2007-0066 CVE-2007-0069 |
Included Updates: 941644 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-067 |
Title: Vulnerability in Macrovision Driver Could Allow Local Elevation of Privilege (944653) |
Update Type: Security Update |
Severity: Important |
Date: 2007-12-11 |
Description: This important security update resolves one publicly disclosed vulnerability. A local elevation of privilege vulnerability exists in the way that the Macrovision driver incorrectly handles configuration parameters. A local attacker who successfully exploited this vulnerability could take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. | ||||
Vulnerabilities: CVE-2007-5587 |
Included Updates: 944653 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-066 |
Title: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (943078) |
Update Type: Security Update |
Severity: Important |
Date: 2007-12-11 |
Description: This important security update resolves a privately reported vulnerability in the Windows kernel. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. | ||||
Vulnerabilities: CVE-2007-5350 |
Included Updates: 943078 |
Applies to: Windows Vista |
Bulletin ID: MS07-065 |
Title: Vulnerability in Message Queuing Could Allow Remote Code Execution (937894) |
Update Type: Security Update |
Severity: Important |
Date: 2007-12-11 |
Description: This important security update resolves a privately reported vulnerability in Message Queuing Service (MSMQ) that could allow remote code execution in implementations on Microsoft Windows 2000, or elevation of privilege in implementations on Microsoft Windows XP. An attacker must have valid logon credentials to exploit the elevation of privilege vulnerability on Windows XP. An attacker could then install programs; view, change, or delete data; or create new accounts. | ||||
Vulnerabilities: CVE-2007-3039 |
Included Updates: 937894 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS07-064 |
Title: Vulnerabilities in DirectX Could Allow Remote Code Execution (941568) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-12-11 |
Description: This critical security update resolves two privately reported vulnerabilities in Microsoft DirectX. These vulnerabilities could allow code execution if a user opened a specially crafted file used for streaming media in DirectX. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2007-3895 CVE-2007-3901 |
Included Updates: 941568 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-063 |
Title: Vulnerability in SMBv2 Could Allow Remote Code Execution (942624) |
Update Type: Security Update |
Severity: Important |
Date: 2007-12-11 |
Description: This important security update resolves a privately reported vulnerability in Server Message Block Version 2 (SMBv2). The vulnerability could allow an attacker to tamper with data transferred via SMBv2, which could allow remote code execution in domain configurations communicating with SMBv2. | ||||
Vulnerabilities: CVE-2007-5351 |
Included Updates: 942624 |
Applies to: Windows Vista |
Bulletin ID: MS07-038 |
Title: Vulnerability in Windows Vista Firewall Could Allow Information Disclosure (935807) |
Update Type: Security Update |
Severity: Moderate |
Date: 2007-12-11 |
Description: This moderate security update resolves a privately reported vulnerability. This vulnerability could allow incoming unsolicited network traffic to access a network interface. An attacker could potentially gather information about the affected host. | ||||
Vulnerabilities: CVE-2007-3038 |
Included Updates: 935807 |
Applies to: Windows Vista |
Bulletin ID: MS05-004 |
Title: ASP.NET Path Validation Vulnerability (887219) |
Update Type: Security Update |
Severity: Important |
Date: 2007-12-11 |
Description: This update resolves a public vulnerability in ASP.NET that could allow an attacker to bypass the security of an ASP.NET Web site and gain unauthorized access. The vulnerability is documented in the Vulnerability Details section of this bulletin.An attacker who successfully exploited this vulnerability could gain unauthorized access to parts of a Web site. The actions that the attacker could take would depend on the specific content being protected. | ||||
Vulnerabilities: CAN-2004-0847 |
Included Updates: 886903 886906 887219 887998 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-062 |
Title: Vulnerability in DNS Could Allow Spoofing (941672) |
Update Type: Security Update |
Severity: Important |
Date: 2007-11-13 |
Description: This important security update resolves a privately reported vulnerability. This spoofing vulnerability exists in Windows DNS Servers and could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations. | ||||
Vulnerabilities: CVE-2007-3898 |
Included Updates: 941672 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition |
Bulletin ID: MS07-061 |
Title: Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-11-13 |
Description: This update resolves a publicly reported vulnerability. A remote code execution vulnerability exists in the way that the Windows shell handles specially crafted URIs that are passed to it. If the Windows shell did not sufficiently validate these URIs, an attacker could exploit this vulnerability and execute arbitrary code. Microsoft has only identified ways to exploit this vulnerability on systems using Internet Explorer 7. However, the vulnerability exists in a Windows file, Shell32.dll, which is included in all supported editions of Windows XP and Windows Server 2003. | ||||
Vulnerabilities: CVE-2007-3896 |
Included Updates: 943460 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-056 |
Title: Security Update for Outlook Express and Windows Mail (941202) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-11-13 |
Description: This critical security update resolves one privately reported vulnerability. The vulnerability could allow remote code execution due to an incorrectly handled malformed NNTP response. An attacker could exploit the vulnerability by constructing a specially crafted Web page. | ||||
Vulnerabilities: CVE-2007-3897 |
Included Updates: 941202 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-049 |
Title: Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986) |
Update Type: Security Update |
Severity: Important |
Date: 2007-11-13 |
Description: This important security update resolves one privately reported vulnerability. This is an elevation of privilege vulnerability. The vulnerability in Microsoft Virtual PC and Microsoft Virtual Server could allow a guest operating system user to run code on the host or another guest operating system. Only guest operating system users who are granted administrative permissions to the guest operating system would be able to exploit this vulnerability. Guest operating system users not granted administrative permissions to the guest operating system would be unable to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2007-0948 |
Included Updates: 937986 |
Applies to: Virtual PC Virtual Server |
Bulletin ID: MS07-060 |
Title: Vulnerability in Microsoft Word Could Allow Remote Code Execution (942695) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-10-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Word that could allow remote code execution if a user opens a specially crafted Word file with a malformed string. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2007-3899 |
Included Updates: 942670 942695 |
Applies to: Office 2002/XP |
Bulletin ID: MS07-059 |
Title: Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site (942017) |
Update Type: Security Update |
Severity: Important |
Date: 2007-10-09 |
Description: This security update resolves a publicly reported vulnerability in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007. The vulnerability could allow an attacker to run arbitrary script that could result in elevation of privilege within the SharePoint site, as opposed to elevation of privilege within the workstation or server environment. The vulnerability could also allow an attacker to run arbitrary script to modify a user’s cache, resulting in information disclosure at the workstation. | ||||
Vulnerabilities: CVE-2007-2581 |
Included Updates: 934525 937832 942017 |
Applies to: Office 2007 Windows Server 2003 Windows Server 2003, Datacenter Edition |
Bulletin ID: MS07-058 |
Title: Vulnerability in RPC Could Allow Denial of Service (933729) |
Update Type: Security Update |
Severity: Important |
Date: 2007-10-09 |
Description: This update resolves a privately reported vulnerability. A denial of service vulnerability exists in the remote procedure call (RPC) facility due to a failure in communicating with the NTLM security provider when performing authentication of RPC requests. The vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CVE-2007-2228 |
Included Updates: 933729 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-053 |
Title: Vulnerability in Windows Services for UNIX Could Allow Elevation of Privilege (939778) |
Update Type: Security Update |
Severity: Important |
Date: 2007-09-25 |
Description: This important security update resolves one publicly disclosed vulnerability. A vulnerability exists in Windows Services for UNIX 3.0, Windows Services for UNIX 3.5, and Subsystem for UNIX-based Applications where running certain setuid binary files could allow an attacker to gain elevation of privilege. | ||||
Vulnerabilities: CVE-2007-3036 |
Included Updates: 939778 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista |
Bulletin ID: MS07-052 |
Title: Vulnerability in Crystal Reports for Visual Studio Could Allow Remote Code Execution (941522) |
Update Type: Security Update |
Severity: Important |
Date: 2007-09-13 |
Description: This important security update resolves a publicly disclosed vulnerability. This vulnerability could allow remote code execution if a user opens a specially crafted RPT file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2006-6133 |
Included Updates: 937060 937061 941522 |
Applies to: Visual Studio 2005 |
Bulletin ID: MS07-051 |
Title: Vulnerability in Microsoft Agent Could Allow Remote Code Execution (938827) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-09-11 |
Description: This critical security update resolves a privately reported vulnerability. A remote code execution vulnerability exists in Microsoft Agent in the way that it handles certain specially crafted URLs. The vulnerability could allow an attacker to remotely execute code on the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2007-3040 |
Included Updates: 938827 |
Applies to: Windows 2000 |
Bulletin ID: MS04-032 |
Title: Security Update for Microsoft Windows (840987) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-09-11 |
Description: This update resolves several newly-discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own Vulnerability Details section. | ||||
Vulnerabilities: CAN-2004-0207 CAN-2004-0208 CAN-2004-0209 CAN-2004-0211 |
Included Updates: 840987 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS04-019 |
Title: Vulnerability in Utility Manager Could Allow Code Execution (842526) |
Update Type: Security Update |
Severity: Important |
Date: 2007-09-11 |
Description: This update resolves a newly-discovered, privately reported vulnerability. A privilege elevation vulnerability exists in the way that Utility Manager launches applications. A logged-on user could force Utility Manager to start an application with system privileges and could take complete control of the system. The vulnerability is documented in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CAN-2004-0213 |
Included Updates: 842526 |
Applies to: Windows 2000 |
Bulletin ID: MS07-050 |
Title: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (938127) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-08-14 |
Description: This security update resolves a privately reported vulnerability in the Vector Markup Language (VML) implementation in Windows. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2007-1749 |
Included Updates: 938127 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-048 |
Title: Vulnerabilities in Windows Gadgets Could Allow Remote Code Execution (938123) |
Update Type: Security Update |
Severity: Important |
Date: 2007-08-14 |
Description: This important security update resolves two privately reported vulnerabilities in addition to other vulnerabilities identified during the course of the investigation. These vulnerabilities could allow an anonymous remote attacker to run code with the privileges of the logged on user. If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget or added a malicious contacts file in the Contacts Gadget or a user clicked on a malicious link in the Weather Gadget an attacker could potentially run code on the system. In all attack vectors, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2007-3032 CVE-2007-3033 CVE-2007-3891 |
Included Updates: 938123 |
Applies to: Windows Vista |
Bulletin ID: MS07-046 |
Title: Vulnerability in GDI Could Allow Remote Code Execution (938829) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-08-14 |
Description: This critical security update resolves a privately reported vulnerability. A remote code execution vulnerability exists in the Graphics Rendering Engine in the way that it handles specially crafted images. An attacker could exploit the vulnerability by constructing a specially crafted image that could potentially allow remote code execution if a user opened a specially crafted attachment in e-mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system. | ||||
Vulnerabilities: CVE-2007-3034 |
Included Updates: 938829 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-045 |
Title: Cumulative Security Update for Internet Explorer (937143) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-08-14 |
Description: This critical security update resolves three privately reported vulnerabilities. These vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2007-0943 CVE-2007-1891 CVE-2007-1892 CVE-2007-2216 CVE-2007-3041 |
Included Updates: 937143 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-044 |
Title: Vulnerability in Microsoft Excel Could Allow Remote Code Execution (940965) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-08-14 |
Description: This security update resolves a privately reported vulnerability in addition to other security issues identified during the course of the investigation. These vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2007-3890 |
Included Updates: 940601 940602 940604 940965 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS07-043 |
Title: Vulnerability in OLE Automation Could Allow Remote Code Execution (921503) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-08-14 |
Description: This critical security update resolves a privately reported vulnerability. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page. The vulnerability could be exploited through attacks on Object Linking and Embedding (OLE). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2007-2224 |
Included Updates: 921503 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-042 |
Title: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-08-14 |
Description: This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. The vulnerability could be exploited through attacks on Microsoft XML Core Services. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2007-2223 |
Included Updates: 933579 936021 936048 936056 936181 936227 936960 |
Applies to: Office 2003 Office 2007 Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-014 |
Title: Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-08-14 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CVE-2006-0003 |
Included Updates: 911562 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS04-016 |
Title: Vulnerability in DirectPlay Could Allow Denial of Service (839643) |
Update Type: Security Update |
Severity: Moderate |
Date: 2007-08-14 |
Description: This update resolves a newly-discovered, privately reported vulnerability. A denial of service vulnerability exists in the implementation of the IDirectPlay4 application programming interface (API) of Microsoft DirectPlay because of a lack of robust packet validation. The vulnerability is documented in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: |
Included Updates: 839643 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS07-041 |
Title: Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution (939373) |
Update Type: Security Update |
Severity: Important |
Date: 2007-07-10 |
Description: This important security update resolves a privately reported vulnerability. This vulnerability could allow remote code execution if an attacker sent specially crafted URL requests to a Web page hosted by Internet Information Services (IIS) 5.1 on Windows XP Professional Service Pack 2. IIS 5.1 is not part of a default install of Windows XP Professional Service Pack 2. An attacker who successfully exploited this vulnerability could take complete control of the affected system. | ||||
Vulnerabilities: CVE-2005-4360 |
Included Updates: 939373 |
Applies to: Windows XP |
Bulletin ID: MS07-039 |
Title: Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-07-10 |
Description: This critical security update resolves a privately reported vulnerability in implementations of Active Directory on Windows 2000 Server and Windows Server 2003 that could allow remote code execution or a denial of service condition. Attacks attempting to exploit this vulnerability would most likely result in a denial of service condition. However remote code execution could be possible. On Windows Server 2003 an attacker must have valid logon credentials to exploit this vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. | ||||
Vulnerabilities: CVE-2007-0040 CVE-2007-3028 |
Included Updates: 926122 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition |
Bulletin ID: MS07-037 |
Title: Vulnerability in Microsoft Office Publisher 2007 Could Allow Remote Code Execution (936548) |
Update Type: Security Update |
Severity: Important |
Date: 2007-07-10 |
Description: This important security update resolves one publicly disclosed vulnerability. This vulnerability could allow remote code execution if a user viewed a specially crafted Microsoft Office Publisher file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. User interaction is required to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2007-1754 |
Included Updates: 936548 936646 |
Applies to: Office 2007 |
Bulletin ID: MS07-036 |
Title: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-07-10 |
Description: This critical update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in addition to other security issues identified during the course of the investigation. These vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2007-1756 CVE-2007-3029 CVE-2007-3030 |
Included Updates: 936507 936508 936509 936513 936514 936542 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS06-039 |
Title: Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (915384) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-07-10 |
Description: This update resolves two newly discovered, privately reported vulnerabilities. Each vulnerability is documented in its own "Vulnerability Details" section in this bulletin. | ||||
Vulnerabilities: CVE-2006-0007 CVE-2006-0033 |
Included Updates: 914455 914796 915384 920102 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS07-035 |
Title: Vulnerability in Win 32 API Could Allow Remote Code Execution (935839) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-06-26 |
Description: This critical security update resolves a privately reported vulnerability in a Win32 API. This vulnerability could allow remote code execution or elevation of privilege if the affected API is used locally by a specially crafted application. Therefore applications that use this component of the Win32 API could be used as a vector for this vulnerability. For example, Internet Explorer uses this Win32 API function when parsing specially crafted Web pages. | ||||
Vulnerabilities: CVE-2007-2219 |
Included Updates: 935839 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-032 |
Title: Vulnerability in Windows Vista Could Allow Information Disclosure (931213) |
Update Type: Security Update |
Severity: Moderate |
Date: 2007-06-26 |
Description: This moderate security update resolves a privately reported vulnerability. This vulnerability could allow non-privileged users to access local user information data stores including administrative passwords contained within the registry and local file system. | ||||
Vulnerabilities: CVE-2007-2229 |
Included Updates: 931213 |
Applies to: Windows Vista |
Bulletin ID: MS07-022 |
Title: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (931784) |
Update Type: Security Update |
Severity: Important |
Date: 2007-06-26 |
Description: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CVE-2007-1206 |
Included Updates: 931784 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS07-034 |
Title: Cumulative Security Update for Outlook Express and Windows Mail (929123) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-06-19 |
Description: This critical security update resolves two privately reported and two publicly disclosed vulnerabilities. One of these vulnerabilities could allow remote code execution if a user viewed a specially crafted e-mail using Windows Mail in Windows Vista. The other vulnerabilities could allow information disclosure if a user visits a specially crafted Web page using Internet Explorer and cannot be exploited directly in Outlook Express. For the information disclosure vulnerabilities, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2006-2111 CVE-2007-1658 CVE-2007-2225 CVE-2007-2227 |
Included Updates: 929123 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-031 |
Title: Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution (935840) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-06-12 |
Description: This critical security update resolves a privately reported vulnerability in the Secure Channel (Schannel) security package in Windows. The Schannel security package implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page using an Internet Web browser or used an application that makes use of SSL/TLS. However, attempts to exploit this vulnerability would most likely result in the Internet Web browser or application exiting. The system would not be able to connect to Web sites or resources using SSL or TLS until a restart of the system. | ||||
Vulnerabilities: CVE-2007-2218 |
Included Updates: 935840 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-030 |
Title: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (927051) |
Update Type: Security Update |
Severity: Important |
Date: 2007-06-12 |
Description: This important update resolves two privately reported vulnerabilities in addition to other security issues identified during the course of the investigation. The privately reported vulnerabilities could allow remote code execution if a user opened a specially crafted Visio file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. User interaction is required to exploit these vulnerabilities. | ||||
Vulnerabilities: CVE-2007-0934 CVE-2007-0936 |
Included Updates: 927051 931280 931281 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS07-018 |
Title: Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution (925939) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-06-12 |
Description: This update resolves two newly discovered, privately reported vulnerabilities. Each vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2007-0938 CVE-2007-0939 |
Included Updates: 924429 925939 |
Applies to: Office 2002/XP |
Bulletin ID: MS07-012 |
Title: Vulnerability in Microsoft MFC Could Allow Remote Code Execution (924667) |
Update Type: Security Update |
Severity: Important |
Date: 2007-06-12 |
Description: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2007-0025 |
Included Updates: 924667 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-025 |
Title: Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-05-15 |
Description: This update resolves a privately reported vulnerability. The vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CVE-2007-1747 |
Included Updates: 934062 934180 934705 934873 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS07-023 |
Title: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-05-15 |
Description: This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CVE-2007-0215 CVE-2007-1203 CVE-2007-1214 |
Included Updates: 933666 933688 934233 934445 934453 934670 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
Bulletin ID: MS07-029 |
Title: Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-05-08 |
Description: This update resolves a publicly disclosed vulnerability. The vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CVE-2007-1748 |
Included Updates: 935966 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition |
Bulletin ID: MS07-028 |
Title: Vulnerability in CAPICOM Could Allow Remote Code Execution (931906) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-05-08 |
Description: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CVE-2007-0940 |
Included Updates: 931906 |
Applies to: CAPICOM |
Bulletin ID: MS07-024 |
Title: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-05-08 |
Description: This update resolves several newly discovered, privately and publicly reported vulnerabilities. Each vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CVE-2007-0035 CVE-2007-0870 CVE-2007-1202 cve-2007-0870 |
Included Updates: 934041 934181 934232 934394 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS07-009 |
Title: Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution (927779) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-05-08 |
Description: This update resolves a public vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-5559 |
Included Updates: 927779 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS06-068 |
Title: Vulnerability in Microsoft Agent Could Allow Remote Code Execution (920213) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-05-08 |
Description: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-3445 |
Included Updates: 920213 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS05-032 |
Title: Vulnerability in Microsoft Agent Could Allow Spoofing (890046) |
Update Type: Security Update |
Severity: Moderate |
Date: 2007-05-08 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. This vulnerability could enable an attacker to spoof trusted Internet content. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-1214 |
Included Updates: 890046 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-071 |
Title: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (928088) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-04-24 |
Description: This update resolves a newly discovered, publicly disclosed vulnerability. The vulnerability is documented in its own subsection in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-5745 |
Included Updates: 927977 927978 928088 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-021 |
Title: Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-04-10 |
Description: This update resolves several newly discovered, privately and publicly disclosed vulnerabilities. Each vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CVE-2006-6696 CVE-2006-6797 CVE-2007-1209 |
Included Updates: 930178 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-020 |
Title: Vulnerability in Microsoft Agent Could Allow Remote Code Execution (932168) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-04-10 |
Description: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CVE-2007-1205 |
Included Updates: 932168 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-019 |
Title: Vulnerability in Universal Plug and Play Could Allow Remote Code Execution (931261) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-04-10 |
Description: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CVE-2007-1204 |
Included Updates: 931261 |
Applies to: Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-015 |
Title: Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-03-13 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-0012 |
Included Updates: 908531 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-015 |
Title: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (932554) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-02-13 |
Description: This update resolves two newly discovered, privately and publicly reported vulnerabilities. Each vulnerability is documented in its own subsection in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-3877 CVE-2007-0671 |
Included Updates: 929063 929064 932554 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS07-014 |
Title: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (929434) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-02-13 |
Description: This update resolves several newly discovered, privately and publicly reported vulnerabilities. Each vulnerability is documented in its own subsection in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-5994 CVE-2006-6456 CVE-2006-6561 CVE-2007-0208 CVE-2007-0209 CVE-2007-0515 |
Included Updates: 924883 929057 929061 929434 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS07-013 |
Title: Vulnerability in Microsoft RichEdit Could Allow Remote Code Execution (918118) |
Update Type: Security Update |
Severity: Important |
Date: 2007-02-13 |
Description: This update addresses a newly discovered, privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-1311 |
Included Updates: 918118 920813 920816 929437 |
Applies to: Office 2002/XP Office 2003 Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-011 |
Title: Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution (926436) |
Update Type: Security Update |
Severity: Important |
Date: 2007-02-13 |
Description: This update resolves a newly discovered, privately reported, vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2007-0026 |
Included Updates: 926436 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-008 |
Title: Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution (928843) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-02-13 |
Description: This update resolves a newly discovered, privately reported vulnerability as well as additional issues discovered through internal investigations. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2007-0214 |
Included Updates: 928843 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-007 |
Title: Vulnerability in Windows Image Acquisition Service Could Allow Elevation of Privilege (927802) |
Update Type: Security Update |
Severity: Important |
Date: 2007-02-13 |
Description: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2007-0210 |
Included Updates: 927802 |
Applies to: Windows XP |
Bulletin ID: MS07-006 |
Title: Vulnerability in Windows Shell Could Allow Elevation of Privilege (928255) |
Update Type: Security Update |
Severity: Important |
Date: 2007-02-13 |
Description: This update resolves a newly discovered, privately reported, vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2007-0211 |
Included Updates: 928255 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-004 |
Title: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-01-09 |
Description: This update resolves a public vulnerability as well as additional issues discovered through internal investigations. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2007-0024 |
Included Updates: 929969 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS07-003 |
Title: Vulnerabilities in Microsoft Outlook Could Allow Remote Code Execution (925938) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-01-09 |
Description: This update addresses several newly discovered, privately and publicly reported vulnerabilities. The vulnerabilities are documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CVE-2006-1305 CVE-2007-0033 CVE-2007-0034 |
Included Updates: 921594 924085 925938 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS07-002 |
Title: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (927198) |
Update Type: Security Update |
Severity: Critical |
Date: 2007-01-09 |
Description: This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in its own subsection in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2007-0027 CVE-2007-0028 CVE-2007-0029 CVE-2007-0030 CVE-2007-0031 |
Included Updates: 925257 925523 925525 927198 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS07-001 |
Title: Vulnerability in Microsoft Office 2003 Brazilian Portuguese Grammar Checker Could Allow Remote Code Execution (921585) |
Update Type: Security Update |
Severity: Important |
Date: 2007-01-09 |
Description: This update resolves a newly discovered, publicly reported vulnerability. The vulnerability is documented in its own subsection in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-5574 |
Included Updates: 921585 |
Applies to: Office 2003 |
Bulletin ID: MS06-073 |
Title: Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (925674) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-12-13 |
Description: This update resolves a public vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-4704 |
Included Updates: 925674 |
Applies to: Visual Studio 2005 |
Bulletin ID: MS06-077 |
Title: Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121) |
Update Type: Security Update |
Severity: Important |
Date: 2006-12-12 |
Description: This update resolves a privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-5584 |
Included Updates: 926121 |
Applies to: Windows 2000 |
Bulletin ID: MS06-076 |
Title: Cumulative Security Update for Outlook Express (923694) |
Update Type: Security Update |
Severity: Important |
Date: 2006-12-12 |
Description: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-2386 |
Included Updates: 923694 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-075 |
Title: Vulnerability in Windows Could Allow Elevation of Privilege (926255) |
Update Type: Security Update |
Severity: Important |
Date: 2006-12-12 |
Description: This update resolves a privately identified vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-5585 |
Included Updates: 926255 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS06-074 |
Title: Vulnerability in SNMP Could Allow Remote Code Execution (926247) |
Update Type: Security Update |
Severity: Important |
Date: 2006-12-12 |
Description: This update resolves a newly discovered, privately reported, vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-5583 |
Included Updates: 926247 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-066 |
Title: Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution (923980) |
Update Type: Security Update |
Severity: Important |
Date: 2006-12-12 |
Description: This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in its own subsection in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-4688 CVE-2006-4689 |
Included Updates: 923980 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS06-061 |
Title: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-12-12 |
Description: This update resolves two newly discovered, privately reported vulnerabilities. Each vulnerability is documented in its own subsection in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-4685 CVE-2006-4686 |
Included Updates: 924191 924424 925672 925673 |
Applies to: Office 2003 SQL Server Feature Pack Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-059 |
Title: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-12-12 |
Description: This update addresses several newly discovered, privately reported and public vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section. | ||||
Vulnerabilities: CVE-2006-2387 CVE-2006-3431 CVE-2006-3867 CVE-2006-3875 |
Included Updates: 923088 923089 923275 924164 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS06-005 |
Title: Vulnerability in Windows Media Player Could Allow Remote Code Execution (911565) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-11-28 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-0006 |
Included Updates: 911565 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS06-070 |
Title: Vulnerability in Workstation Service Could Allow Remote Code Execution (924270) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-11-14 |
Description: This update resolves a newly discovered, privately reported, vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-4691 |
Included Updates: 924270 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS06-055 |
Title: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-11-14 |
Description: This update resolves a public vulnerability as well as additional issues discovered through internal investigations. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-4868 |
Included Updates: 925486 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-065 |
Title: Vulnerability in Windows Object Packager Could Allow Remote Execution (924496) |
Update Type: Security Update |
Severity: Moderate |
Date: 2006-10-10 |
Description: This update resolves a newly discovered, privately reported, vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-4692 |
Included Updates: 924496 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-064 |
Title: Vulnerabilities in TCP/IP IPv6 Could Allow Denial of Service (922819) |
Update Type: Security Update |
Severity: Low |
Date: 2006-10-10 |
Description: This update resolves a publicly disclosed vulnerability as well as additional issues discovered through internal investigations. | ||||
Vulnerabilities: CVE-2004-0230 CVE-2004-0790 CVE-2005-0688 |
Included Updates: 922819 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-063 |
Title: Vulnerability in Server Service Could Allow Denial of Service and Remote Code Execution (923414) |
Update Type: Security Update |
Severity: Important |
Date: 2006-10-10 |
Description: This update resolves publicly and privately reported vulnerabilities. The vulnerabilities are documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-3942 CVE-2006-4696 |
Included Updates: 923414 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-062 |
Title: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922581) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-10-10 |
Description: This update addresses several newly discovered, privately and publicly reported vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section. | ||||
Vulnerabilities: CVE-2006-3434 CVE-2006-3650 CVE-2006-3864 CVE-2006-3868 |
Included Updates: 922581 923272 923273 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS06-060 |
Title: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (924554) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-10-10 |
Description: This update addresses several newly discovered, privately reported and public vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section. | ||||
Vulnerabilities: CVE-2006-3647 CVE-2006-3651 CVE-2006-4534 CVE-2006-4693 |
Included Updates: 920817 923094 923276 924554 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS06-058 |
Title: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (924163) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-10-10 |
Description: This update addresses several newly discovered, privately and publicly reported vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section. | ||||
Vulnerabilities: CVE-2006-3435 CVE-2006-3876 CVE-2006-3877 CVE-2006-4694 |
Included Updates: 923091 923092 924163 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS06-057 |
Title: Vulnerability in Windows Explorer Could Allow Remote Execution (923191) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-10-10 |
Description: This update resolves a newly discovered, publicly reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-3730 |
Included Updates: 923191 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-056 |
Title: Vulnerability in ASP.NET 2.0 Could Allow Information Disclosure (922770) |
Update Type: Security Update |
Severity: Moderate |
Date: 2006-10-10 |
Description: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-3436 |
Included Updates: 922770 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS05-030 |
Title: Vulnerability in Outlook Express Could Allow Remote Code Execution (897715) |
Update Type: Security Update |
Severity: Important |
Date: 2006-10-10 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-1213 |
Included Updates: 897715 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS06-049 |
Title: Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958) |
Update Type: Security Update |
Severity: Important |
Date: 2006-09-26 |
Description: This update resolves a newly discovered, publicly reported vulnerability and additional issues discovered through internal investigations. | ||||
Vulnerabilities: CVE-2006-3444 |
Included Updates: 920958 |
Applies to: Windows 2000 |
Bulletin ID: MS05-021 |
Title: Vulnerability in Exchange Server Could Allow Remote Code Execution (894549) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-09-26 |
Description: This update resolves a newly-discovered, privately-reported vulnerability in Microsoft Exchange Server that could allow an attacker to run arbitrary code on the system. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-0560 |
Included Updates: 894549 |
Applies to: Exchange 2000 Server Exchange Server 2003 |
Bulletin ID: MS06-054 |
Title: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-09-12 |
Description: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-0001 |
Included Updates: 894541 894542 910729 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS06-053 |
Title: Vulnerability in Indexing Service Could Allow Cross-Site Scripting (920685) |
Update Type: Security Update |
Severity: Moderate |
Date: 2006-09-12 |
Description: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-0032 |
Included Updates: 920685 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-052 |
Title: Vulnerability in Pragmatic General Multicast (PGM) Could Allow Remote Code Execution (919007) |
Update Type: Security Update |
Severity: Important |
Date: 2006-09-12 |
Description: This update resolves a newly discovered, privately reported, vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-3442 |
Included Updates: 919007 |
Applies to: Windows XP |
Bulletin ID: MS06-042 |
Title: Cumulative Security Update for Internet Explorer (918899) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-09-12 |
Description: This update resolves several newly discovered, publicly and privately reported vulnerabilities. Each vulnerability is documented in its own “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CVE-2004-1166 CVE-2006-3280 CVE-2006-3450 CVE-2006-3451 CVE-2006-3637 CVE-2006-3638 CVE-2006-3639 CVE-2006-3640 CVE-2006-3869 CVE-2006-3873 |
Included Updates: 918899 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-040 |
Title: Vulnerability in Server Service Could Allow Remote Code Execution (921883) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-09-12 |
Description: This update resolves a privately disclosed vulnerability as well as additional issues discovered through internal investigations. | ||||
Vulnerabilities: CVE-2006-3439 |
Included Updates: 921883 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-038 |
Title: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-09-12 |
Description: This update resolves several newly discovered, privately reported and public vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section. | ||||
Vulnerabilities: CVE-2006-1316 CVE-2006-1318 CVE-2006-1540 CVE-2006-2389 |
Included Updates: 917150 917151 917284 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS06-034 |
Title: Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution (917537) |
Update Type: Security Update |
Severity: Important |
Date: 2006-09-12 |
Description: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-0026 |
Included Updates: 917537 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-051 |
Title: Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-08-08 |
Description: This update resolves newly discovered, privately reported vulnerabilities and additional issues discovered through internal investigations. | ||||
Vulnerabilities: CVE-2006-3443 CVE-2006-3648 |
Included Updates: 917422 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-050 |
Title: Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670) |
Update Type: Security Update |
Severity: Important |
Date: 2006-08-08 |
Description: This update resolves two newly discovered vulnerabilities. Each vulnerability is documented in its own subsection in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-3086 CVE-2006-3438 |
Included Updates: 920670 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-048 |
Title: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-08-08 |
Description: This update resolves two newly discovered, privately reported and public vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section. | ||||
Vulnerabilities: CVE-2006-3449 CVE-2006-3590 |
Included Updates: 921566 921567 922968 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS06-047 |
Title: Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (921645) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-08-08 |
Description: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-3649 |
Included Updates: 920821 921645 |
Applies to: Office 2002/XP |
Bulletin ID: MS06-046 |
Title: Vulnerability in HTML Help Could Allow Remote Code Execution (922616) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-08-08 |
Description: This update resolves a newly discovered, publicly reported vulnerability as well as additional issues discovered through internal investigations. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CAN-2006-3357 CVE-2006-3357 |
Included Updates: 922616 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-045 |
Title: Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398) |
Update Type: Security Update |
Severity: Important |
Date: 2006-08-08 |
Description: This update resolves a newly-discovered, publicly-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-3281 |
Included Updates: 921398 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-044 |
Title: Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-08-08 |
Description: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-3643 |
Included Updates: 917008 |
Applies to: Windows 2000 |
Bulletin ID: MS06-043 |
Title: Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-08-08 |
Description: This update resolves a newly-discovered, publicly-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin | ||||
Vulnerabilities: CVE-2006-2766 |
Included Updates: 920214 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-041 |
Title: Vulnerabilities in DNS Resolution Could Allow Remote Code Execution (920683) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-08-08 |
Description: This update resolves several newly discovered, privately reported, vulnerabilities. | ||||
Vulnerabilities: CVE-2006-3440 CVE-2006-3441 |
Included Updates: 920683 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-037 |
Title: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (917285) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-08-08 |
Description: This update resolves several newly discovered, privately reported and public vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section. | ||||
Vulnerabilities: CVE-2006-1301 CVE-2006-1302 CVE-2006-1304 CVE-2006-1306 CVE-2006-1308 CVE-2006-1309 CVE-2006-2388 CVE-2006-3059 |
Included Updates: 917285 918419 918420 918425 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS06-036 |
Title: Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-07-11 |
Description: This update resolves a newly discovered, privately reported vulnerability as well as additional issues discovered through internal investigations. The privately reported vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-2372 |
Included Updates: 914388 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-035 |
Title: Vulnerability in Server Service Could Allow Remote Code Execution (917159) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-07-11 |
Description: This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-1314 CVE-2006-1315 |
Included Updates: 917159 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-033 |
Title: Vulnerability in ASP.NET Could Allow Information Disclosure (917283) |
Update Type: Security Update |
Severity: Important |
Date: 2006-07-11 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-1300 |
Included Updates: 917283 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-028 |
Title: Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution (916768) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-07-11 |
Description: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in this bulletin in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-0022 |
Included Updates: 916518 916519 916768 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS06-027 |
Title: Vulnerability in Microsoft Word Could Allow Remote Code Execution (917336) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-07-11 |
Description: This update resolves a newly discovered, public vulnerability. The vulnerability is documented in this bulletin in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-2492 |
Included Updates: 917334 917335 917336 917346 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS06-025 |
Title: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-06-27 |
Description: This update resolves several newly discovered, privately reported vulnerability. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-2370 CVE-2006-2371 |
Included Updates: 911280 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-020 |
Title: Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (913433) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-06-27 |
Description: This update resolves publicly reported vulnerabilities. The vulnerabilities are documented in the "Vulnerability Details" section of this bulletin. These vulnerabilities are also documented in Macromedia Security Bulletin MPSB05-07 for customers using Flash Player 5 and 6. Customers who have installed Flash Player 7 and higher are advised to download the latest version from the Adobe website. Customers that have followed the guidance in Adobe Security Bulletin APSB06-03 are not at risk from the vulnerability. | ||||
Vulnerabilities: CVE-2005-2628 CVE-2006-0024 |
Included Updates: 913433 |
Applies to: Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-032 |
Title: Vulnerability in TCP/IP Could Allow Remote Code Execution (917953) |
Update Type: Security Update |
Severity: Important |
Date: 2006-06-13 |
Description: This update resolves a privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-2379 |
Included Updates: 917953 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-031 |
Title: Vulnerability in RPC Mutual Authentication Could Allow Spoofing (917736) |
Update Type: Security Update |
Severity: Moderate |
Date: 2006-06-13 |
Description: This update resolves a newly discovered, privately reported vulnerability. A spoofing vulnerability exists in the RPC service that could enable an attacker to spoof trusted network resource. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-2380 |
Included Updates: 917736 |
Applies to: Windows 2000 |
Bulletin ID: MS06-030 |
Title: Vulnerability in Server Message Block Could Allow Elevation of Privilege (914389) |
Update Type: Security Update |
Severity: Important |
Date: 2006-06-13 |
Description: This update resolves several newly discovered, privately reported vulnerability. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-2373 CVE-2006-2374 |
Included Updates: 914389 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-024 |
Title: Vulnerability in Windows Media Player Could Allow Remote Code Execution (917734) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-06-13 |
Description: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-0025 |
Included Updates: 917734 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-023 |
Title: Vulnerability in Microsoft JScript Could Allow Remote Code Execution (917344) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-06-13 |
Description: This update resolves a newly discovered vulnerability. A remote code execution vulnerability exists in Microsoft JScript that could allow an attacker to take complete control of an affected system. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-1313 |
Included Updates: 917344 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-022 |
Title: Vulnerability in ART Image Rendering Could Allow Remote Code Execution (918439) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-06-13 |
Description: This update resolves a newly discovered, privately reported vulnerability. A remote code execution vulnerability exists in the way AOL ART images are handled. This vulnerability could allow an attacker to take complete control of an affected system. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-2378 |
Included Updates: 918439 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-018 |
Title: Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580) |
Update Type: Security Update |
Severity: Moderate |
Date: 2006-06-13 |
Description: This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-0034 CVE-2006-1184 |
Included Updates: 913580 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS06-011 |
Title: Permissive Windows Services DACLs Could Allow Elevation of Privilege (914798) |
Update Type: Security Update |
Severity: Important |
Date: 2006-06-13 |
Description: This update resolves a newly-discovered, public vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CAN-2006-0023 CVE-2006-0023 |
Included Updates: 914798 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS06-017 |
Title: Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting (917627) |
Update Type: Security Update |
Severity: Moderate |
Date: 2006-04-11 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-0015 |
Included Updates: 908981 911701 917627 |
Applies to: Office 2002/XP Windows Server 2003 Windows Server 2003, Datacenter Edition |
Bulletin ID: MS06-016 |
Title: Cumulative Security Update for Outlook Express (911567) |
Update Type: Security Update |
Severity: Important |
Date: 2006-04-11 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-0014 |
Included Updates: 911567 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS04-018 |
Title: Cumulative Security Update for Outlook Express (823353) |
Update Type: Security Update |
Severity: Moderate |
Date: 2006-04-11 |
Description: This update resolves a public vulnerability. A denial of service vulnerability exists in Outlook Express because of a lack of robust verification for malformed e-mail headers. The vulnerability is documented in the Vulnerability Details section of this bulletin. This update also changes the default security settings for Outlook Express 5.5 Service Pack 2 (SP2). This change is documented in the Frequently Asked Questions related to this security update section of this bulletin. | ||||
Vulnerabilities: CAN-2004-0215 |
Included Updates: 823353 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS06-012 |
Title: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (905413) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-03-14 |
Description: This update resolves several newly-discovered, privately reported and public vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2005-4131 CVE-2006-0009 CVE-2006-0028 CVE-2006-0029 CVE-2006-0030 CVE-2006-0031 |
Included Updates: 905413 905649 905754 905755 905756 905758 914451 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS06-007 |
Title: Vulnerability in TCP/IP Could Allow Denial of Service (913446) |
Update Type: Security Update |
Severity: Important |
Date: 2006-02-15 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: |
Included Updates: 913446 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-009 |
Title: Vulnerability in the Korean Input Method Editor Could Allow Elevation of Privilege (901190) |
Update Type: Security Update |
Severity: Important |
Date: 2006-02-14 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-0008 |
Included Updates: 901190 905645 909115 909118 |
Applies to: Office 2003 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-008 |
Title: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927) |
Update Type: Security Update |
Severity: Important |
Date: 2006-02-14 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. | ||||
Vulnerabilities: CVE-2006-0013 |
Included Updates: 911927 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-006 |
Title: Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution (911564) |
Update Type: Security Update |
Severity: Important |
Date: 2006-02-14 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-0005 |
Included Updates: 911564 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS03-042 |
Title: Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution (826232) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-02-14 |
Description: Microsoft re-issued this bulletin on October 29, 2003 to advise on the availability of an updated Windows 2000 patch. This revised patch corrects the Debug Programs (SeDebugPrivilege) user right issue that some customers experienced with the original patch that is discussed in Knowledge Base Article 830846. This problem is unrelated to the security vulnerability discussed in this bulletin. If you have previously applied this security patch, this update does not need to be installed. | ||||
Vulnerabilities: |
Included Updates: 826232 |
Applies to: Windows 2000 |
Bulletin ID: MS06-003 |
Title: Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (902412) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-01-10 |
Description: This update resolves a newly-discovered, privately-reported vulnerability that could allow an attacker to run arbitrary code on the system. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CVE-2006-0002 |
Included Updates: 892841 892843 894689 902412 |
Applies to: Exchange 2000 Server Office 2002/XP Office 2003 |
Bulletin ID: MS06-002 |
Title: Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-01-10 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. | ||||
Vulnerabilities: CVE-2006-0010 |
Included Updates: 908519 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS06-001 |
Title: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919) |
Update Type: Security Update |
Severity: Critical |
Date: 2006-01-05 |
Description: This update resolves a newly-discovered, public vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2005-4560 |
Included Updates: 912919 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS05-055 |
Title: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (908523) |
Update Type: Security Update |
Severity: Important |
Date: 2005-12-13 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CAN-2005-2827 |
Included Updates: 908523 |
Applies to: Windows 2000 |
Bulletin ID: MS05-050 |
Title: Vulnerability in DirectShow Could Allow Remote Code Execution (904706) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-12-13 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CAN-2005-2128 |
Included Updates: 904706 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS05-009 |
Title: Vulnerability in PNG Processing Could Allow Remote Code Execution (890261) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-11-08 |
Description: This update resolves a newly-discovered, public vulnerability. A remote code execution vulnerability exists in the processing of PNG image formats. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2004-0597 CAN-2004-0598 CAN-2004-0599 CAN-2004-1244 |
Included Updates: 885492 887472 890261 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS03-022 |
Title: Vulnerability in ISAPI Extension for Windows Media Services Could Cause Code Execution (822343) |
Update Type: Security Update |
Severity: Important |
Date: 2005-11-08 |
Description: Microsoft Windows Media Services is a feature of Microsoft Windows 2000 Server, Advanced Server, and Datacenter Server and is also available in a downloadable version for Windows NT 4.0 Server. Windows Media Services contains support for a method of delivering media content to clients across a network known as multicast streaming. In multicast streaming, the server has no connection to or knowledge of the clients that may be receiving the stream of media content coming from the server. To facilitate logging of client information for the server, Windows 2000 includes a capability specifically designed to enable logging for multicast transmissions. | ||||
Vulnerabilities: |
Included Updates: 822343 |
Applies to: Windows 2000 |
Bulletin ID: MS05-051 |
Title: Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-10-24 |
Description: This update resolves several newly-discovered, privately-reported vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CAN-2005-1978 CAN-2005-1979 CAN-2005-1980 CAN-2005-2119 |
Included Updates: 902400 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS05-049 |
Title: Vulnerabilities in Windows Shell Could Allow Remote Code Execution (900725) |
Update Type: Security Update |
Severity: Important |
Date: 2005-10-13 |
Description: This update resolves several newly-discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section. | ||||
Vulnerabilities: CAN-2005-2117 CAN-2005-2118 CAN-2005-2122 |
Included Updates: 900725 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS05-047 |
Title: Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749) |
Update Type: Security Update |
Severity: Important |
Date: 2005-10-13 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Plug and Play (PnP) that could allow an authenticated attacker who successfully exploited this vulnerability to take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CAN-2005-2120 |
Included Updates: 905749 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS05-044 |
Title: Vulnerability in the Windows FTP Client Could Allow File Transfer Location Tampering (905495) |
Update Type: Security Update |
Severity: Moderate |
Date: 2005-10-13 |
Description: This update resolves a newly-discovered, public vulnerability. A vulnerability exists in the Windows FTP client because of the way it validates file names. This vulnerability could allow an attacker to tamper with the file transfer location on the client during an FTP file transfer session. | ||||
Vulnerabilities: CAN-2005-2126 |
Included Updates: 905495 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS05-052 |
Title: Cumulative Security Update for Internet Explorer (896688) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-10-11 |
Description: This update resolves a newly-discovered public vulnerability and other privately-reported variations of the same vulnerability. The Microsoft DDS Library Shape Control (Msdds.dll) and other COM objects could, when instantiated in Internet Explorer, allow an attacker to take complete control of an affected system. Because these COM objects were not designed to be instantiated in Internet Explorer, this update sets the kill bit for the affected Class Identifiers (CLSID) in these COM objects. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-2127 |
Included Updates: 896688 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS05-026 |
Title: Vulnerability in HTML Help Could Allow Remote Code Execution (896358) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-10-11 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability exists in HTML Help that could allow remote code execution on an affected system. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-1208 |
Included Updates: 896358 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS05-033 |
Title: Vulnerability in Telnet Client Could Allow Information Disclosure (896428) |
Update Type: Security Update |
Severity: Moderate |
Date: 2005-10-08 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. An attacker who successfully exploited this information disclosure vulnerability could remotely read the session variables for users who have open connections to a malicious telnet server. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-1205 |
Included Updates: 896428 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS05-031 |
Title: Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (898458) |
Update Type: Security Update |
Severity: Important |
Date: 2005-10-08 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The Step-by-Step Interactive Training has a remote code execution vulnerability that could allow an attacker to take complete control of an affected system. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-1212 |
Included Updates: 898458 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP 64-Bit Edition Version 2003 |
Bulletin ID: MS05-027 |
Title: Vulnerability in Server Message Block Could Allow Remote Code Execution (896422) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-10-08 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Server Message Block (SMB) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. . An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-1206 |
Included Updates: 896422 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS05-046 |
Title: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (899589) |
Update Type: Security Update |
Severity: Important |
Date: 2005-10-07 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in the Client Service for NetWare (CSNW). By default, CSNW is not installed on any affected operating system version. Only customers who manually installed CSNW could be vulnerable to this issue. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. This service is also called Gateway Service for NetWare on Windows 2000 Server. | ||||
Vulnerabilities: CAN-2005-1985 |
Included Updates: 899589 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition |
Bulletin ID: MS05-045 |
Title: Vulnerability in Network Connection Manager Could Allow Denial of Service (905414) |
Update Type: Security Update |
Severity: Moderate |
Date: 2005-10-07 |
Description: This update resolves a newly-discovered, public vulnerability. A vulnerability in Network Connection Manager could allow a denial of service on the affected platforms against the Network Connection Manager. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CAN-2005-2307 |
Included Updates: 905414 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS05-042 |
Title: Vulnerabilities in Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing (899587) |
Update Type: Security Update |
Severity: Moderate |
Date: 2005-09-12 |
Description: This update resolves two newly-discovered vulnerabilities, a privately reported vulnerability and a publicly reported vulnerability. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-1981 CAN-2005-1982 |
Included Updates: 899587 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS05-041 |
Title: Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (899591) |
Update Type: Security Update |
Severity: Moderate |
Date: 2005-09-12 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability in the Remote Desktop Protocol (RDP) exists that could allow an attacker to cause a system to stop responding. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-1218 |
Included Updates: 899591 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS05-040 |
Title: Vulnerability in Telephony Service Could Allow Remote Code Execution (893756) |
Update Type: Security Update |
Severity: Important |
Date: 2005-09-12 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability exits in the Telephony Application Programming Interface (TAPI) service that could allow remote code execution. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-0058 |
Included Updates: 893756 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS03-044 |
Title: Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-09-12 |
Description: A security vulnerability exists in the Help and Support Center function which ships with Windows XP and Windows Server 2003. The affected code is also included in all other supported Windows operating systems, although no known attack vector has been identified at this time because the HCP protocol is not supported on those platforms. The vulnerability results because a file associated with the HCP protocol contains an unchecked buffer. | ||||
Vulnerabilities: |
Included Updates: 825119 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS05-005 |
Title: Vulnerability in Microsoft Office XP could allow Remote Code Execution (873352) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-08-22 |
Description: This update resolves a newly-discovered, privately reported vulnerability that could allow an attacker to run code on the affected system. The vulnerability is documented in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CAN-2004-0848 |
Included Updates: 873352 873354 873355 |
Applies to: Office 2002/XP |
Bulletin ID: MS05-043 |
Title: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (896423) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-08-05 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability exists in the Print Spooler service that could allow remote code execution. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-1984 |
Included Updates: 896423 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS05-039 |
Title: Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-08-05 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Plug and Play (PnP) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-1983 |
Included Updates: 899588 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS05-018 |
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859) |
Update Type: Security Update |
Severity: Important |
Date: 2005-07-26 |
Description: This update resolves several newly-discovered, privately-reported vulnerabilities. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-0060 CAN-2005-0061 CAN-2005-0550 CAN-2005-0551 |
Included Updates: 890859 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS05-036 |
Title: Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (901214) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-07-12 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-1219 |
Included Updates: 901214 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS05-028 |
Title: Vulnerability in Web Client Service Could Allow Remote Code Execution (896426) |
Update Type: Security Update |
Severity: Important |
Date: 2005-06-27 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-1207 |
Included Updates: 896426 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS05-019 |
Title: Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-06-14 |
Description: This update resolves several newly-discovered, privately-reported and public vulnerabilities. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section. | ||||
Vulnerabilities: CAN-2004-0230 CAN-2004-0790 CAN-2004-0791 CAN-2004-1060 CAN-2005-0048 CAN-2005-0688 |
Included Updates: 893066 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS05-024 |
Title: Vulnerability in Web View Could Allow Remote Code Execution (894320) |
Update Type: Security Update |
Severity: Important |
Date: 2005-05-10 |
Description: This update resolves a newly-discovered, public vulnerability. A remote code execution vulnerability exists in the way that Web View in Windows Explorer handles certain HTML characters in preview fields. By persuading a user to preview a malicious file, an attacker could execute arbitrary code in the context of the logged on user. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-1191 |
Included Updates: 894320 |
Applies to: Windows 2000 |
Bulletin ID: MS05-010 |
Title: Vulnerability in the License Logging Service Could Allow Code Execution (885834) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-04-26 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-0050 |
Included Updates: 885834 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition |
Bulletin ID: MS04-044 |
Title: Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege (885835) |
Update Type: Security Update |
Severity: Important |
Date: 2005-04-13 |
Description: This update resolves several newly-discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own Vulnerability Details section. | ||||
Vulnerabilities: CAN-2004-0893 CAN-2004-0894 |
Included Updates: 885835 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS05-017 |
Title: Vulnerability in Message Queuing Could Allow Code Execution (892944) |
Update Type: Security Update |
Severity: Important |
Date: 2005-04-12 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in the Message Queuing component. By default, the Message Queuing component is not installed on any affected operating system version. Only customers who manually installed the Message Queuing component could be vulnerable to this issue. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-0059 |
Included Updates: 892944 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS05-016 |
Title: Vulnerability in Windows Shell that Could Allow Remote Code Execution (893086) |
Update Type: Security Update |
Severity: Important |
Date: 2005-04-12 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CAN-2005-0063 |
Included Updates: 893086 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS05-008 |
Title: Vulnerability in Windows Shell Could Allow Remote Code Execution (890047) |
Update Type: Security Update |
Severity: Important |
Date: 2005-03-25 |
Description: This update resolves a newly-discovered vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. A privilege elevation vulnerability exists in Windows because of the way that Windows handles drag-and-drop events. An attacker could exploit the vulnerability by constructing a malicious Web page. This malicious Web page could potentially allow an attacker to save a file on the user’s system if a user visited a malicious Web site or viewed a malicious e-mail message. | ||||
Vulnerabilities: CAN-2003-1027 CAN-2004-0839 CAN-2004-0985 CAN-2005-0053 |
Included Updates: 890047 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS04-013 |
Title: Cumulative Security Update for Outlook Express (837009) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-03-25 |
Description: This is a cumulative update that includes the functionality of all the previously-released updates for Outlook Express 5.5 and Outlook Express 6. Additionally, it eliminates a new vulnerability that could allow an attacker who successfully exploited this vulnerability to access files and to take complete control of the affected system. This could occur even if Outlook Express is not used as the default e-mail reader on the system. | ||||
Vulnerabilities: CAN-2004-0380 |
Included Updates: 837009 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS04-012 |
Title: Cumulative Update for Microsoft RPC/DCOM (828741) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-03-25 |
Description: This update resolves several newly-discovered vulnerabilities in RPC/DCOM. Each vulnerability is documented in this bulletin in its own section. | ||||
Vulnerabilities: CAN-2003-0807 CAN-2003-0813 CAN-2004-0116 CAN-2004-0124 |
Included Updates: 828741 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS03-018 |
Title: Cumulative Patch for Internet Information Service (811114) |
Update Type: Security Update |
Severity: Important |
Date: 2005-03-25 |
Description: This patch is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 since Windows 2000 Service Pack 2 and IIS 5.1. A complete listing of the patches superseded by this patch is provided below, in the section titled "Additional information about this patch". | ||||
Vulnerabilities: |
Included Updates: 811114 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS02-051 |
Title: Cryptographic Flaw in RDP Protocol can Lead to Information Disclosure (Q324380) |
Update Type: Security Update |
Severity: Moderate |
Date: 2005-03-25 |
Description: The Remote Data Protocol (RDP) provides the means by which Windows systems can provide remote terminal sessions to clients. The protocol transmits information regarding a terminal sessions' keyboard, mouse and video to the remote client, and is used by Terminal Services in Windows NT 4.0 and Windows 2000, and by Remote Desktop in Windows XP. Two security vulnerabilities, both of which are eliminated by this patch, have been discovered in various RDP implementations. | ||||
Vulnerabilities: |
Included Updates: 324380 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS02-050 |
Title: Certificate Validation Flaw Could Enable Identity Spoofing (Q329115) |
Update Type: Security Update |
Severity: Important |
Date: 2005-03-08 |
Description: The original version of this bulletin was released on 05 September 2002. | ||||
Vulnerabilities: |
Included Updates: 329115 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS05-011 |
Title: Vulnerability in Server Message Block Could Allow Remote Code Execution (885250) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-02-23 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-0045 |
Included Updates: 885250 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS04-015 |
Title: Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374) |
Update Type: Security Update |
Severity: Important |
Date: 2005-02-19 |
Description: This update resolves a newly-discovered vulnerability. A remote code execution vulnerability exists in the Help and Support Center because of the way that it handles HCP URL validation. The vulnerability is documented in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CAN-2004-0199 |
Included Updates: 840374 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS04-014 |
Title: Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) |
Update Type: Security Update |
Severity: Important |
Date: 2005-02-19 |
Description: Microsoft updated this bulletin on May 11, 2004 to advise on the availability of a revised version of the security update for non-English versions of Windows XP (as opposed to Windows XP Service Pack 1). The original update does address the vulnerability in Windows XP for all supported languages; however, the original update was not fully localized. Specifically, optional Jet error strings were only being offered in English on Windows XP. This issue does not affect other operating systems. If you have previously applied the security update for other operating systems, including Windows XP Service Pack 1, you need not take any additional action. | ||||
Vulnerabilities: CAN-2004-0197 |
Included Updates: 837001 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS04-011 |
Title: Security Update for Microsoft Windows (835732) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-02-19 |
Description: Microsoft re-issued this bulletin on June 15, 2004 to advise on the availability of an updated Windows NT 4.0 Workstation update for the Pan Chinese language. | ||||
Vulnerabilities: CAN-2003-0533 CAN-2003-0663 CAN-2003-0719 CAN-2003-0806 CAN-2003-0906 CAN-2003-0907 CAN-2003-0908 CAN-2003-0909 CAN-2003-0910 CAN-2004-0117 CAN-2004-0118 CAN-2004-0119 CAN-2004-0120 CAN-2004-0123 |
Included Updates: 835732 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS04-008 |
Title: Vulnerability in Windows Media Services Could Allow a Denial of Service (832359) |
Update Type: Security Update |
Severity: Moderate |
Date: 2005-02-19 |
Description: A vulnerability exists because of the way that Windows Media Station Service and Windows Media Monitor Service, components of Windows Media Services, handle TCP/IP connections. If a remote user were to send a specially-crafted sequence of TCP/IP packets to the listening port of either of these services, the service could stop responding to requests and no additional connections could be made. The service must be restarted to regain its functionality. | ||||
Vulnerabilities: |
Included Updates: 832359 |
Applies to: Windows 2000 |
Bulletin ID: MS04-007 |
Title: ASN.1 Vulnerability Could Allow Code Execution (828028) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-02-19 |
Description: A security vulnerability exists in the Microsoft ASN.1 Library that could allow code execution on an affected system. The vulnerability is caused by an unchecked buffer in the Microsoft ASN.1 Library, which could result in a buffer overflow. | ||||
Vulnerabilities: |
Included Updates: 828028 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS04-006 |
Title: Vulnerability in the Windows Internet Naming Service (WINS) Could Allow Code Execution (830352) |
Update Type: Security Update |
Severity: Important |
Date: 2005-02-19 |
Description: A security vulnerability exists in the Windows Internet Naming Service (WINS). This vulnerability exists because of the method that WINS uses to validate the length of specially-crafted packets. On Windows Server 2003 this vulnerability could allow an attacker who sent a series of specially-crafted packets to a WINS server to cause the service to fail. Most likely, this could cause a denial of service, and the service would have to be manually restarted to restore functionality. | ||||
Vulnerabilities: |
Included Updates: 830352 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition |
Bulletin ID: MS04-043 |
Title: Vulnerability in HyperTerminal Could Allow Code Execution (873339) |
Update Type: Security Update |
Severity: Important |
Date: 2005-02-17 |
Description: This update resolves a newly-discovered, privately reported vulnerability. The vulnerability is documented in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CAN-2004-0568 |
Included Updates: 873339 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS04-037 |
Title: Vulnerability in Windows Shell Could Allow Remote Code Execution (841356) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-02-17 |
Description: This update resolves several newly-discovered, public vulnerabilities. Each vulnerability is documented in this bulletin in its own Vulnerability Details section. | ||||
Vulnerabilities: CAN-2004-0214 CAN-2004-0572 |
Included Updates: 841356 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS04-024 |
Title: Vulnerability in Windows Shell Could Allow Remote Code Execution (839645) |
Update Type: Security Update |
Severity: Important |
Date: 2005-02-17 |
Description: This update resolves a newly-discovered, publicly reported vulnerability. A remote code execution vulnerability exists in the way that the Windows Shell launches applications. | ||||
Vulnerabilities: CAN-2004-0420 |
Included Updates: 839645 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS04-022 |
Title: Vulnerability in Task Scheduler Could Allow Code Execution (841873) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-02-17 |
Description: This update resolves a newly-discovered, privately reported vulnerability. A remote code execution vulnerability exists in the Task Scheduler because of an unchecked buffer. The vulnerability is documented in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CAN-2004-0212 |
Included Updates: 841873 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS04-020 |
Title: Vulnerability in POSIX Could Allow Code Execution (841872) |
Update Type: Security Update |
Severity: Important |
Date: 2005-02-17 |
Description: This update resolves a newly-discovered, privately reported vulnerability. A privilege elevation vulnerability exists in the POSIX operating system component (subsystem). The vulnerability is documented in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CAN-2004-0210 |
Included Updates: 841872 |
Applies to: Windows 2000 |
Bulletin ID: MS04-023 |
Title: Vulnerability in HTML Help Could Allow Code Execution (840315) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-02-12 |
Description: This update resolves two newly-discovered vulnerabilities. The HTML Help vulnerability was privately reported and the showHelp vulnerability is public. Each vulnerability is documented in this bulletin in its own Vulnerability Details section. | ||||
Vulnerabilities: CAN-2003-1041 CAN-2004-0201 |
Included Updates: 840315 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS05-015 |
Title: Vulnerability in Hyperlink Object Library Could Allow Remote Code Execution (888113) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-02-08 |
Description: This update resolves a newly-discovered, privately reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-0057 |
Included Updates: 888113 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS05-014 |
Title: Cumulative Security Update for Internet Explorer (867282) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-02-08 |
Description: This update resolves several newly-discovered, publicly and privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section. | ||||
Vulnerabilities: CAN-2003-1027 CAN-2004-0839 CAN-2004-0985 CAN-2005-0053 CAN-2005-0054 CAN-2005-0055 CAN-2005-0056 |
Included Updates: 867282 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS05-013 |
Title: Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (891781) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-02-08 |
Description: This update resolves a newly-discovered, public vulnerability. A vulnerability exists in the DHTML Editing Component ActiveX Control. This vulnerability could allow information disclosure or remote code execution on an affected system. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CAN-2004-1319 |
Included Updates: 891781 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS05-012 |
Title: Vulnerability in OLE and COM Could Allow Remote Code Execution (873333) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-02-08 |
Description: This update resolves several newly-discovered, privately-reported vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section. | ||||
Vulnerabilities: CAN-2005-0044 CAN-2005-0047 |
Included Updates: 873333 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS05-007 |
Title: Vulnerability in Windows Could Allow Information Disclosure (888302) |
Update Type: Security Update |
Severity: Important |
Date: 2005-02-08 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-0051 |
Included Updates: 888302 |
Applies to: Windows XP |
Bulletin ID: MS05-002 |
Title: Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-01-18 |
Description: This update resolves several newly-discovered, privately reported and public vulnerabilities. Each vulnerability is documented in this bulletin in its own Vulnerability Details section. | ||||
Vulnerabilities: CAN-2004-1049 CAN-2004-1305 |
Included Updates: 891711 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS05-001 |
Title: Vulnerability in HTML Help Could Allow Code Execution (890175) |
Update Type: Security Update |
Severity: Critical |
Date: 2005-01-18 |
Description: This update resolves a newly-discovered, publicly reported vulnerability. A vulnerability exists in the HTML Help ActiveX control in Windows that could allow information disclosure or remote code execution on an affected system. This vulnerability is documented in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CAN-2004-1043 |
Included Updates: 890175 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS05-003 |
Title: Vulnerability in the Indexing Service Could Allow Remote Code Execution (871250) |
Update Type: Security Update |
Severity: Important |
Date: 2005-01-11 |
Description: This update resolves a newly-discovered, privately reported vulnerability. The vulnerability is documented in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CAN-2004-0897 |
Included Updates: 871250 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS04-045 |
Title: Vulnerability in WINS Could Allow Remote Code Execution (870763) |
Update Type: Security Update |
Severity: Important |
Date: 2004-12-15 |
Description: This update resolves several newly-discovered, public and privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own Vulnerability Details section. | ||||
Vulnerabilities: CAN-2004-0567 CAN-2004-1080 |
Included Updates: 870763 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition |
Bulletin ID: MS04-041 |
Title: Vulnerability in WordPad Could Allow Code Execution (885836) |
Update Type: Security Update |
Severity: Important |
Date: 2004-12-15 |
Description: This update resolves several newly-discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own Vulnerability Details section. | ||||
Vulnerabilities: CAN-2004-0571 CAN-2004-0901 |
Included Updates: 885836 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS04-028 |
Title: Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) |
Update Type: Security Update |
Severity: Critical |
Date: 2004-12-15 |
Description: This update resolves a newly-discovered, privately reported vulnerability. A buffer overrun vulnerability exists in the processing of JPEG image formats that could allow remote code execution on an affected system. The vulnerability is documented in this bulletin in its own section. | ||||
Vulnerabilities: CAN-2004-0200 |
Included Updates: 833987 833989 886179 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS03-001 |
Title: Unchecked Buffer in Locator Service Could Lead to Code Execution (810833) |
Update Type: Security Update |
Severity: Critical |
Date: 2004-12-15 |
Description: The Microsoft Locator service is a name service that maps logical names to network-specific names. It ships with Windows NT 4.0, Windows 2000, and Windows XP. By default, the Locator service is enabled only on Windows 2000 domain controllers and Windows NT 4.0 domain controllers; it is not enabled on Windows NT 4.0 workstations or member servers, Windows 2000 workstations or member servers, or Windows XP. | ||||
Vulnerabilities: |
Included Updates: 810833 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS04-034 |
Title: Vulnerability in Compressed (zipped) Folders Could Allow Remote Code Execution (873376) |
Update Type: Security Update |
Severity: Critical |
Date: 2004-11-20 |
Description: This update resolves a newly-discovered, privately reported vulnerability. A remote code execution vulnerability exists in the way that Windows processes Compressed (zipped) Folders. The vulnerability is documented in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CAN-2004-0575 |
Included Updates: 873376 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS04-031 |
Title: Vulnerability in NetDDE Could Allow Remote Code Execution (841533) |
Update Type: Security Update |
Severity: Important |
Date: 2004-11-20 |
Description: This update resolves a newly-discovered, privately reported vulnerability. A remote code execution vulnerability exists in the Network Dynamic Data Exchange (NetDDE) services because of an unchecked buffer. The vulnerability is documented in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CAN-2004-0206 |
Included Updates: 841533 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS04-030 |
Title: Vulnerability in WebDAV XML Message Handler Could Lead to a Denial of Service (824151) |
Update Type: Security Update |
Severity: Important |
Date: 2004-11-20 |
Description: This update resolves a newly-discovered, privately reported vulnerability. The vulnerability is documented in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CAN-2003-0718 |
Included Updates: 824151 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS04-036 |
Title: Vulnerability in NNTP Could Allow Remote Code Execution (883935) |
Update Type: Security Update |
Severity: Critical |
Date: 2004-10-12 |
Description: This update resolves a newly-discovered, privately reported vulnerability. A remote code execution vulnerability exists within the Network News Transfer Protocol (NNTP) component of the affected operating systems. This vulnerability could potentially affect systems that do not use NNTP. This is because some programs that are listed in the affected software section require that the NNTP component be enabled before you can install them. The vulnerability is documented in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CAN-2004-0574 |
Included Updates: 883935 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition |
Bulletin ID: MS04-035 |
Title: Vulnerability in SMTP Could Allow Remote Code Execution (885881) |
Update Type: Security Update |
Severity: Critical |
Date: 2004-10-12 |
Description: Subsequent to the release of this bulletin, it was determined that a variation of the vulnerability addressed also affects Exchange 2000 Server. Microsoft has updated the bulletin, on February 8, 2005, with additional information about Exchange 2000 Server and also to direct users to a security update for this additional affected platform. | ||||
Vulnerabilities: CAN-2004-0840 |
Included Updates: 885881 |
Applies to: Windows Server 2003 |
Bulletin ID: MS03-051 |
Title: Buffer Overrun in Microsoft FrontPage Server Extensions Could Allow Code Execution (813360) |
Update Type: Security Update |
Severity: Critical |
Date: 2004-10-04 |
Description: Subsequent to the release of this bulletin, it was determined that the vulnerability addressed also affects other versions of the affected products and components. Microsoft has updated the bulletin with additional information about Windows XP 64-Bit Edition and Office 2000 Server Extensions and also to direct users to an update for these additional affected platforms. | ||||
Vulnerabilities: |
Included Updates: 810217 813360 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS03-039 |
Title: Buffer Overrun In RPCSS Service Could Allow Code Execution (824146) |
Update Type: Security Update |
Severity: Critical |
Date: 2004-10-04 |
Description: The fix provided by this patch supersedes the one included in Microsoft Security Bulletin MS03-026 and includes the fix for the security vulnerability discussed in MS03-026, as well as 3 newly discovered vulnerabilities. | ||||
Vulnerabilities: |
Included Updates: 819696 824146 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS03-030 |
Title: Unchecked Buffer in DirectX Could Enable System Compromise (819696) |
Update Type: Security Update |
Severity: Critical |
Date: 2004-07-23 |
Description: Subsequent to the original release of this bulletin, customers requested that we support additional versions of DirectX that were not covered by the original patches. This bulletin has been updated to provide information about a new patch, which is intended for customers using Windows 98, Windows 98 SE, Windows Millennium Edition, or Windows 2000 who have upgraded to Microsoft DirectX 8.0, 8.0a, 8.1, 8.1a, or 8.1b. | ||||
Vulnerabilities: |
Included Updates: 819696 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS02-063 |
Title: Unchecked Buffer in PPTP Implementation Could Enable Denial of Service Attacks (Q329834) |
Update Type: Security Update |
Severity: Critical |
Date: 2004-06-10 |
Description: Windows 2000 and Windows XP natively support Point-to-Point Tunneling Protocol (PPTP), a Virtual Private Networking technology that is implemented as part of Remote Access Services (RAS). PPTP support is an optional component in Windows NT 4.0, Windows 98, Windows 98SE, and Windows ME. | ||||
Vulnerabilities: |
Included Updates: 329834 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS03-013 |
Title: Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges (811493) |
Update Type: Security Update |
Severity: Important |
Date: 2004-04-23 |
Description: Microsoft re-issued this bulletin on May 28, 2003 to advise on the availability of an updated Windows XP Service Pack 1 patch. This revised patch corrects the performance issues that some customers experienced with the original Windows XP Service Pack 1 patch. | ||||
Vulnerabilities: |
Included Updates: 811493 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS03-045 |
Title: Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141) |
Update Type: Security Update |
Severity: Important |
Date: 2004-04-13 |
Description: Microsoft re-issued this bulletin on Janurary 13, 2004 to advise on the availability of an updated Windows NT 4.0 Workstation and Server patch for the Arabic, Hebrew, and Thai languages. | ||||
Vulnerabilities: |
Included Updates: 824141 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS03-043 |
Title: Buffer Overrun in Messenger Service Could Allow Code Execution (828035) |
Update Type: Security Update |
Severity: Critical |
Date: 2004-04-09 |
Description: Subsequent to the release of this bulletin, it was determined that the update for Windows XP did not properly place the updated file wkssvc.dll into the %systemroot%\system32\dllcache. This problem is unrelated to the security vulnerability discussed in this bulletin. Microsoft recommends that customers who have previously applied the security update reinstall the latest version to insure that their system remains protected in the event that the wkssvc.dll is ever deleted or becomes corrupt. More information on this is available in the FAQ section of this bulletin. | ||||
Vulnerabilities: |
Included Updates: 828035 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS03-027 |
Title: Unchecked Buffer in Windows Shell Could Enable System Compromise (821557) |
Update Type: Security Update |
Severity: Important |
Date: 2004-04-09 |
Description: The Windows shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows desktop. It also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start programs. | ||||
Vulnerabilities: |
Included Updates: 821557 |
Applies to: Windows XP |
Bulletin ID: MS03-007 |
Title: Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) |
Update Type: Security Update |
Severity: Critical |
Date: 2004-04-09 |
Description: Microsoft originally released this security bulletin on March 17, 2003. At that time, Microsoft was aware of a publicly available exploit that was being used to attack Windows 2000 Servers running IIS 5.0. The attack vector in this case was WebDAV although the underlying vulnerability was in a core operating system component, ntdll.dll. Microsoft issued a patch to protect Windows 2000 customers shortly afterwards, but also continued to investigate the underlying vulnerability. During the course of that investigation, Microsoft found that Windows NT 4.0 also contains the underlying vulnerability in ntdll.dll, however it does not support WebDAV and therefore the known exploit was not effective against Windows NT 4.0. In addition, Microsoft has recently been made aware of this vulnerability as well in Windows XP. However, like Windows NT 4.0, Windows XP does not install Internet Information Services (IIS) by default. Microsoft has now released patches for Windows NT 4.0 and Windows XP. | ||||
Vulnerabilities: |
Included Updates: 815021 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS03-021 |
Title: Flaw In Windows Media Player May Allow Media Library Access (819639) |
Update Type: Security Update |
Severity: Moderate |
Date: 2004-03-05 |
Description: An ActiveX control included with Windows Media Player 9 Series allows Web page authors to create Web pages that can play media and provide a user interface by which the user can control playback. When a user visits a Web page with embedded media, the ActiveX control provides a user interface that allows the user to take such actions as pausing or rewinding the media. | ||||
Vulnerabilities: |
Included Updates: 819639 |
Applies to: Windows 2000 Windows Server 2003 Windows XP |
Bulletin ID: MS02-071 |
Title: Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation (328310) |
Update Type: Security Update |
Severity: Important |
Date: 2004-02-09 |
Description: Subsequent to the release of this bulletin it was determined that the patch for Microsoft Windows NT 4.0 machines introduced an error that could, under certain configurations, cause NT 4.0 to fail. Microsoft has investigated this issue and has released an updated patch for Windows NT 4.0. The bulletin has been updated to include the new download links for the NT 4.0 patch. The error did not affect NT 4.0 TSE, except for the Japanese Language. Customers running the Japanese version of NT 4.0 TSE should apply the updated fix. | ||||
Vulnerabilities: |
Included Updates: 328310 |
Applies to: Windows 2000 |
Bulletin ID: MS03-033 |
Title: Unchecked Buffer in MDAC Function Could Enable System Compromise (823718) |
Update Type: Security Update |
Severity: Important |
Date: 2004-01-12 |
Description: Microsoft Data Access Components (MDAC) is a collection of components that are used to provide database connectivity on Windows platforms. MDAC is a ubiquitous technology, and it is likely to be present on most Windows systems: | ||||
Vulnerabilities: |
Included Updates: 823718 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS03-017 |
Title: Flaw in Windows Media Player Skins Downloading could allow Code Execution (817787) |
Update Type: Security Update |
Severity: Critical |
Date: 2004-01-12 |
Description: Microsoft Windows Media Player provides functionality to change the overall appearance of the player itself through the use of "skins". Skins are custom overlays that consist of collections of one or more files of computer art, organized by an XML file. The XML file tells Windows Media Player how to use these files to display a skin as the user interface. In this manner, the user can choose from a variety of standard skins, each one providing an additional visual experience. Windows Media Player comes with several skins to choose from, but it is relatively easy to create and distribute custom skins. | ||||
Vulnerabilities: |
Included Updates: 817787 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS03-008 |
Title: Flaw in Windows Script Engine Could Allow Code Execution (814078) |
Update Type: Security Update |
Severity: Critical |
Date: 2003-11-21 |
Description: The Windows Script Engine provides Windows operating systems with the ability to execute script code. Script code can be used to add functionality to web pages, or to automate tasks within the operating system or within a program. Script code can be written in several different scripting languages, such as Visual Basic Script, or JScript. | ||||
Vulnerabilities: |
Included Updates: 814078 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS02-072 |
Title: Unchecked Buffer in Windows Shell Could Enable System Compromise (329390) |
Update Type: Security Update |
Severity: Critical |
Date: 2003-11-21 |
Description: The Windows Shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows Desktop, but also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start applications. | ||||
Vulnerabilities: |
Included Updates: 329390 |
Applies to: Windows XP |
Bulletin ID: MS03-031 |
Title: Cumulative Patch for Microsoft SQL Server (815495) |
Update Type: Security Update |
Severity: Important |
Date: 2003-11-14 |
Description: This is a cumulative patch that includes the functionality of all previously released patches for SQL Server 7.0, SQL Server 2000, MSDE 1.0, and MSDE 2000. In addition, it eliminates three newly discovered vulnerabilities. | ||||
Vulnerabilities: |
Included Updates: 815495 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition |
Bulletin ID: MS03-026 |
Title: Buffer Overrun In RPC Interface Could Allow Code Execution (823980) |
Update Type: Security Update |
Severity: Critical |
Date: 2003-11-14 |
Description: Microsoft originally released this bulletin and patch on July 16, 2003 to correct a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. Subsequent to the release of this bulletin Microsoft has been made aware that additional ports involving RPC can be used to exploit this vulnerability. Information regarding these additional ports has been added to the mitigating factors and the Workaround section of the bulletin. In addition, Microsoft has released security bulletin MS03-039 and an updated scanning tool which supersedes this bulletin and the original scanning tool provided with it. | ||||
Vulnerabilities: |
Included Updates: 823980 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS03-023 |
Title: Buffer Overrun In HTML Converter Could Allow Code Execution (823559) |
Update Type: Security Update |
Severity: Critical |
Date: 2003-11-14 |
Description: Subsequent to the original release of this bulletin Microsoft extended the support of Windows NT Workstation 4.0 and Windows 2000 Service Pack 2. The existing Windows NT 4.0 Server security update will install successfully on Windows NT 4.0 Workstation and is officially supported on that operating system version. The existing Windows 2000 security update will install successfully on Windows 2000 Service Pack 2 and is officially supported on that operating system version. | ||||
Vulnerabilities: |
Included Updates: 823559 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS02-070 |
Title: Flaw in SMB Signing Could Enable Group Policy to be Modified (329170) |
Update Type: Security Update |
Severity: Moderate |
Date: 2003-11-14 |
Description: Subsequent to releasing this bulletin it was determined that the fix that eliminates the vulnerability was not included in Microsoft Windows XP Service Pack 1. The bulletin has been updated to reflect this fact, and the patch has been updated so that it installs on Windows XP Service Pack 1 systems. Customers who are currently running XP Service Pack 1 with SMB signing enabled should apply the patch. | ||||
Vulnerabilities: |
Included Updates: 329170 |
Applies to: Windows XP |
Bulletin ID: MS02-053 |
Title: Buffer Overrun in SmartHTML Interpreter Could Allow Code Execution (Q324096) |
Update Type: Security Update |
Severity: Critical |
Date: 2003-11-14 |
Description: The SmartHTML Interpreter (shtml.dll) is part of the FrontPage Server Extensions (FPSE) and Microsoft SharePoint Team Services, and provides support for web forms and other FrontPage-based dynamic content. The interpreter contains a flaw that could be exposed when processing a request for a particular type of web file, if the request had certain specific characteristics. This flaw affects the two versions of FrontPage Server Extensions differently. On FrontPage Server Extensions 2000, such a request would cause the interpreter to consume most or all CPU availability until the web service was restarted. An attacker could use this vulnerability to conduct a denial of service attack against an affected web server. On FrontPage Server Extensions 2002 and SharePoint Team Services 2002, the same type of request could cause a buffer overrun, potentially allowing an attacker to run code of his choice. | ||||
Vulnerabilities: |
Included Updates: 324096 |
Applies to: Windows XP |
Bulletin ID: MS02-048 |
Title: Flaw in Certificate Enrollment Control Could Allow Deletion of Digital Certificates (Q323172) |
Update Type: Security Update |
Severity: Critical |
Date: 2003-11-14 |
Description: All versions of Windows ship with an ActiveX control known as the Certificate Enrollment Control, the purpose of which is to allow web-based certificate enrollments. The control is used to submit PKCS #10 compliant certificate requests, and upon receiving the requested certificate, stores it in the user's local certificate store. | ||||
Vulnerabilities: |
Included Updates: 323172 |
Applies to: Windows XP |
Bulletin ID: MS02-045 |
Title: Unchecked Buffer in Network Share Provider Can Lead to Denial of Service (Q326830) |
Update Type: Security Update |
Severity: Moderate |
Date: 2003-11-14 |
Description: SMB (Server Message Block) is the protocol Microsoft uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources and servers make SMB responses in what described as a client server, request-response protocol. | ||||
Vulnerabilities: |
Included Updates: 326830 |
Applies to: Windows 2000 |
Bulletin ID: MS03-049 |
Title: Buffer Overrun in the Workstation Service Could Allow Code Execution (828749) |
Update Type: Security Update |
Severity: Critical |
Date: 2003-11-06 |
Description: A security vulnerability exists in the Workstation service that could allow remote code execution on an affected system. This vulnerability results because of an unchecked buffer in the Workstation service. | ||||
Vulnerabilities: |
Included Updates: 828749 |
Applies to: Windows 2000 |
Bulletin ID: MS02-065 |
Title: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414) |
Update Type: Security Update |
Severity: Critical |
Date: 2003-10-21 |
Description: Microsoft Data Access Components (MDAC) is a collection of components used to provide database connectivity on Windows platforms. MDAC is a ubiquitous technology, and it is likely to be present on most Windows systems: | ||||
Vulnerabilities: |
Included Updates: 329414 |
Applies to: Windows 2000 |
Bulletin ID: MS02-042 |
Title: Flaw in Network Connection Manager Could Enable Privilege Elevation (Q326886) |
Update Type: Security Update |
Severity: Critical |
Date: 2003-10-21 |
Description: The Network Connection Manager (NCM) provides a controlling mechanism for all network connections managed by a host system. Among the functions of the NCM is to call a handler routine whenever a network connection has been established. | ||||
Vulnerabilities: |
Included Updates: 326886 |
Applies to: Windows 2000 |
Bulletin ID: MS02-024 |
Title: Authentication Flaw in Windows Debugger can Lead to Elevated Privileges (Q320206) |
Update Type: Security Update |
Severity: Critical |
Date: 2003-10-21 |
Description: The Windows debugging facility provides a means for programs to perform diagnostic and analytic functions on applications as they are running on the operating system. One of these capabilities allows for a program, usually a debugger, to connect to any running program, and to take control of it. The program can then issue commands to the controlled program, including the ability to start other programs. These commands would then execute in the same security context as the controlled program. | ||||
Vulnerabilities: |
Included Updates: 320206 |
Applies to: Windows 2000 |
Bulletin ID: MS02-008 |
Title: XMLHTTP Control Can Allow Access to Local Files |
Update Type: Security Update |
Severity: Critical |
Date: 2003-10-21 |
Description: Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX control, which allows web pages rendering in the browser to send or receive XML data via HTTP operations such as POST, GET, and PUT. The control provides security measures designed to restrict web pages so they can only use the control to request data from remote data sources. | ||||
Vulnerabilities: |
Included Updates: 317244 318202 318203 |
Applies to: Windows XP |
Bulletin ID: MS02-060 |
Title: Flaw in Windows XP Help and Support Center Could Enable File Deletion (Q328940) |
Update Type: Security Update |
Severity: Moderate |
Date: 2003-10-16 |
Description: Help and Support Center provides a centralized facility through which users can obtain assistance on a variety of topics. For instance, it provides product documentation, assistance in determining hardware compatibility, access to Windows Update, online help from Microsoft, and other assistance. | ||||
Vulnerabilities: |
Included Updates: 328940 |
Applies to: Windows XP |
Bulletin ID: MS03-041 |
Title: Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182) |
Update Type: Security Update |
Severity: Critical |
Date: 2003-10-13 |
Description: There is a vulnerability in Authenticode that, under certain low memory conditions, could allow an ActiveX control to download and install without presenting the user with an approval dialog. | ||||
Vulnerabilities: |
Included Updates: 823182 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS03-005 |
Title: Unchecked buffer in Windows redirector may permit privilege elevation (810577) |
Update Type: Security Update |
Severity: Important |
Date: 2003-10-13 |
Description: The Windows Redirector is used by a Windows client to access files, whether local or remote, regardless of the underlying network protocols in use. For example, the "Add a Network Place" Wizard or the NET USE command can be used to map a network share as a local drive, and the Windows Redirector will handle the routing of information to and from the network share. | ||||
Vulnerabilities: |
Included Updates: 810577 |
Applies to: Microsoft Windows XP |
Bulletin ID: MS02-054 |
Title: Unchecked Buffer in File Decompression Functions Could Lead to Code Execution (Q329048) |
Update Type: Security Update |
Severity: Moderate |
Date: 2003-10-13 |
Description: Zipped files (files having a .zip extension) provide a means to store information in a way that uses less space on a hard disk. This is accomplished by compressing the files that are put into in the zipped file. On Windows 98 with Plus! Pack, Windows Me and Windows XP, the Compressed Folders feature allows zipped files to be treated as folders. The Compressed Folders feature can be used to create, add files to, and extract files from zipped files. | ||||
Vulnerabilities: |
Included Updates: 329048 |
Applies to: Windows XP |
Bulletin ID: MS03-034 |
Title: Flaw in NetBIOS Could Lead to Information Disclosure (824105) |
Update Type: Security Update |
Severity: Low |
Date: 2003-09-09 |
Description: Subsequent to the original release of this bulletin Microsoft extended the support of Windows NT Workstation 4.0 and Windows 2000 Service Pack 2. A security update is now available from Microsoft Product Support Services for customers running these operating systems. Contact Microsoft Product Support Services to obtain these additional security updates. | ||||
Vulnerabilities: |
Included Updates: 824105 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP |
Bulletin ID: MS02-062 |
Title: Cumulative Patch for Internet Information Service (Q327696) |
Update Type: Security Update |
Severity: Moderate |
Date: 2003-08-20 |
Description: It would run using the security settings on the user's machine that were appropriate to Web Site A. | ||||
Vulnerabilities: |
Included Updates: 327696 |
Applies to: Windows 2000 Windows XP |
Bulletin ID: MS02-029 |
Title: Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution (Q318138) |
Update Type: Security Update |
Severity: Critical |
Date: 2003-08-05 |
Description: On June 12, 2002, Microsoft released the original version of this bulletin. On July 2, 2002, the bulletin was updated to reflect the availability of a revised patch. Although the original patch completely eliminated the vulnerability, it had the side effect of preventing non-administrative users from making VPN connections in some cases. The revised patch correctly handles VPN connections. The revised patch is immediately available from the Download Center and will be soon made available via WindowsUpdate. | ||||
Vulnerabilities: |
Included Updates: 318138 |
Applies to: Windows XP |
Bulletin ID: MS02-032 |
Title: 26 June 2002 Cumulative Patch for Windows Media Player (Q320920) |
Update Type: Security Update |
Severity: Critical |
Date: 2003-06-18 |
Description: On June 26, 2002, Microsoft released the original version of this bulletin, which described the patch it provided as being cumulative. We subsequently discovered that a file had been inadvertently omitted from the patch. While the omission had no effect on the effectiveness of the patch against the new vulnerabilities discussed below, it did mean that the patch was not cumulative. Specifically, the original patch did not include all of the fixes discussed in Microsoft Security Bulletin MS01-056. We have repackaged the patch to include the file and are re-releasing it to ensure that it truly is cumulative. | ||||
Vulnerabilities: |
Included Updates: 320920 |
Applies to: Windows XP |
Bulletin ID: MS02-006 |
Title: Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run |
Update Type: Security Update |
Severity: Moderate |
Date: 2003-05-06 |
Description: On February 12 2002, Microsoft released the original version of this bulletin. In it, we detailed a work-around procedure that customers could implement to protect themselves against a publicly disclosed vulnerability. An updated version of this bulletin was released on February 15, 2002, to announce the availability of the patch for Windows 2000 and Windows XP and to advise customers that the work-around procedure is no longer needed on those platforms. Patches for additional platforms are forthcoming and this bulletin will be re-released to annouce their availability. | ||||
Vulnerabilities: |
Included Updates: 314147 |
Applies to: Windows XP |
Bulletin ID: MS02-017 |
Title: Unchecked buffer in the Multiple UNC Provider Could Enable Code Execution (Q311967) |
Update Type: Security Update |
Severity: Moderate |
Date: 2003-02-18 |
Description: The Multiple UNC Provider (MUP) is a Windows service that assists in locating network resources that are identified via UNC (uniform naming convention). The MUP receives commands containing UNC names from applications and sends the name to each registered UNC provider, LAN Manager workstation, and any others that are installed. When a provider identifies a UNC name as its own, the MUP automatically redirects future instances of that name to that provider. | ||||
Vulnerabilities: |
Included Updates: 311967 |
Applies to: Windows XP |
Bulletin ID: MS02-009 |
Title: Incorrect VBScript Handling in IE can Allow Web Pages to Read Local Files |
Update Type: Security Update |
Severity: Critical |
Date: 2003-02-18 |
Description: Frames are used in Internet Explorer to provide for a fuller browsing experience. By design, scripts in the frame of one site or domain should be prohibited from accessing the content of frames in another site or domain. However, a flaw exists in how VBScript is handled in IE relating to validating cross-domain access. This flaw can allow scripts of one domain to access the contents of another domain in a frame. | ||||
Vulnerabilities: |
Included Updates: 318089 |
Applies to: Windows 2000 |
Bulletin ID: MS01-059 |
Title: Unchecked Buffer in Universal Plug and Play can Lead to System Compromise |
Update Type: Security Update |
Severity: Critical |
Date: 2003-02-18 |
Description: Universal Plug and Play (UPnP) allows computers to discover and use network-based devices. Windows ME and XP include native UPnP support; Windows 98 and 98SE do not include native UPnP support, but it can be installed via the Internet Connection Sharing client that ships with Windows XP. This bulletin discusses two vulnerabilities affecting these UPnP implementations. Although the vulnerabilities are unrelated, both involve how UPnP-capable computers handle the discovery of new devices on the network. | ||||
Vulnerabilities: |
Included Updates: 315000 |
Applies to: Windows XP |